)]}' { "log": [ { "commit": "3d544f411f2971eb82f5c52322251eb04494542a", "tree": "ceeae2876e2ca76acf44e15bd64d98ffefb113d4", "parents": [ "645dae969c3b8651c5bc7c54a1835ec03820f85f" ], "author": { "name": "Pekka Enberg", "email": "penberg@cs.helsinki.fi", "time": "Tue Mar 24 11:59:23 2009 +0200" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri Apr 03 12:08:57 2009 +0200" }, "message": "kmemtrace, fs, security: move alloc_secdata() and free_secdata() to linux/security.h\n\nImpact: cleanup\n\nWe want to remove percpu.h from rcupdate.h (for upcoming kmemtrace\nchanges), but this is not possible currently without breaking the\nbuild because fs.h has implicit include file depedencies: it uses\nGFP_* types in inlines but does not include gfp.h.\n\nIn practice most fs.h using .c files get gfp.h included implicitly,\nvia an indirect route: via rcupdate.h inclusion - so this underlying\nproblem gets masked in practice.\n\nSo we want to solve fs.h\u0027s dependency on gfp.h.\n\ngfp.h can not be included here directly because it is not exported and it\nwould break the build the following way:\n\n /home/mingo/tip/usr/include/linux/bsg.h:11: found __[us]{8,16,32,64} type without #include \u003clinux/types.h\u003e\n /home/mingo/tip/usr/include/linux/fs.h:11: included file \u0027linux/gfp.h\u0027 is not exported\n make[3]: *** [/home/mingo/tip/usr/include/linux/.check] Error 1\n make[2]: *** [linux] Error 2\n\nAs suggested by Alexey Dobriyan, move alloc_secdata() and free_secdata()\nto linux/security.h - they belong there. This also cleans fs.h of GFP_*\nusage.\n\nSuggested-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: Pekka Enberg \u003cpenberg@cs.helsinki.fi\u003e\nCc: Eduard - Gabriel Munteanu \u003ceduard.munteanu@linux360.ro\u003e\nLKML-Reference: \u003c1237906803.25315.96.camel@penberg-laptop\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "8651d5c0b1f874c5b8307ae2b858bc40f9f02482", "tree": "c09bee8fdc4c659d155b47911dc87ce4c09b6676", "parents": [ "58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:48 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "lsm: Remove the socket_post_accept() hook\n\nThe socket_post_accept() hook is not currently used by any in-tree modules\nand its existence continues to cause problems by confusing people about\nwhat can be safely accomplished using this hook. If a legitimate need for\nthis hook arises in the future it can always be reintroduced.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ac8cc0fa5395fe2278e305a4cbed48e90d88d878", "tree": "515f577bfddd054ee4373228be7c974dfb8133af", "parents": [ "238c6d54830c624f34ac9cf123ac04aebfca5013", "3699c53c485bf0168e6500d0ed18bf931584dd7c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "3699c53c485bf0168e6500d0ed18bf931584dd7c", "tree": "eee63a8ddbdb0665bc6a4a053a2405ca7a5b867f", "parents": [ "29881c4502ba05f46bc12ae8053d4e08d7e2615c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 06 22:27:01 2009 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:38:48 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 3b11a1decef07c19443d24ae926982bc8ec9f4c0\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:26 2008 +1100\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change passes the set of credentials to be tested down into the commoncap\nand SELinux code. The security functions called by capable() and\nhas_capability() select the appropriate set of credentials from the process\nbeing checked.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: J. Bruce Fields \u003cbfields@citi.umich.edu\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "29881c4502ba05f46bc12ae8053d4e08d7e2615c", "tree": "536ea4ac63554e836438bd5f370ddecaa343f1f4", "parents": [ "76f7ba35d4b5219fcc4cb072134c020ec77d030d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "message": "Revert \"CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\"\n\nThis reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.\n\nDavid has a better version to come.\n" }, { "commit": "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8", "tree": "ce10216d592f0fa89ae02c4e4e9e9497010e7714", "parents": [ "5c8c40be4b5a2944483bfc1a45d6c3fa02551af3" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 31 15:15:42 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 11:17:04 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 5ff7711e635b32f0a1e558227d030c7e45b4a465\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Wed Dec 31 02:52:28 2008 +0000\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change splits capable() from has_capability() down into the commoncap and\nSELinux code. The capable() security op now only deals with the current\nprocess, and uses the current process\u0027s subjective creds. A new security op -\ntask_capable() - is introduced that can check any task\u0027s objective creds.\n\nstrictly the capable() security op is superfluous with the presence of the\ntask_capable() op, however it should be faster to call the capable() op since\ntwo fewer arguments need be passed down through the various layers.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d", "tree": "3a770f4cc676efeba443b28caa1ad195eeff49bc", "parents": [ "6a94cb73064c952255336cc57731904174b2c58f" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Wed Dec 17 13:24:15 2008 +0900" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 31 18:07:37 2008 -0500" }, "message": "introduce new LSM hooks where vfsmount is available.\n\nAdd new LSM hooks for path-based checks. Call them on directory-modifying\noperations at the points where we still know the vfsmount involved.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "12204e24b1330428c3062faee10a0d80b8a5cb61", "tree": "d92ee705a86f0ec2bf85c8a797239dbb840d5927", "parents": [ "459c19f524a9d89c65717a7d061d5f11ecf6bcb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 10:44:42 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:02:39 2008 +1100" }, "message": "security: pass mount flags to security_sb_kern_mount()\n\nPass mount flags to security_sb_kern_mount(), so security modules\ncan determine if a mount operation is being performed by the kernel.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "ec98ce480ada787f2cfbd696980ff3564415505b", "tree": "1a4d644b38f9f1e4b4e086fde0b195df4a92cf84", "parents": [ "3496f92beb9aa99ef21fccc154a36c7698e9c538", "feaf3848a813a106f163013af6fcf6c4bfec92d9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 04 17:16:36 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 04 17:16:36 2008 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tfs/nfsd/nfs4recover.c\n\nManually fixed above to use new creds API functions, e.g.\nnfs4_save_creds().\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1b79cd04fab80be61dcd2732e2423aafde9a4c1c", "tree": "b9ff5f0de1c0ef011ac62096218d2fd4bc70c56b", "parents": [ "061e41fdb5047b1fb161e89664057835935ca1d2" ], "author": { "name": "Junjiro R. Okajima", "email": "hooanon05@yahoo.co.jp", "time": "Tue Dec 02 10:31:46 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Dec 02 15:50:40 2008 -0800" }, "message": "nfsd: fix vm overcommit crash fix #2\n\nThe previous patch from Alan Cox (\"nfsd: fix vm overcommit crash\",\ncommit 731572d39fcd3498702eda4600db4c43d51e0b26) fixed the problem where\nknfsd crashes on exported shmemfs objects and strict overcommit is set.\n\nBut the patch forgot supporting the case when CONFIG_SECURITY is\ndisabled.\n\nThis patch copies a part of his fix which is mainly for detecting a bug\nearlier.\n\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Junjiro R. Okajima \u003chooanon05@yahoo.co.jp\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3a3b7ce9336952ea7b9564d976d068a238976c9d", "tree": "3f0a3be33022492161f534636a20a4b1059f8236", "parents": [ "1bfdc75ae077d60a01572a7781ec6264d55ab1b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "message": "CRED: Allow kernel services to override LSM settings for task actions\n\nAllow kernel services to override LSM settings appropriate to the actions\nperformed by a task by duplicating a set of credentials, modifying it and then\nusing task_struct::cred to point to it when performing operations on behalf of\na task.\n\nThis is used, for example, by CacheFiles which has to transparently access the\ncache on behalf of a process that thinks it is doing, say, NFS accesses with a\npotentially inappropriate (with respect to accessing the cache) set of\ncredentials.\n\nThis patch provides two LSM hooks for modifying a task security record:\n\n (*) security_kernel_act_as() which allows modification of the security datum\n with which a task acts on other objects (most notably files).\n\n (*) security_kernel_create_files_as() which allows modification of the\n security datum that is used to initialise the security data on a file that\n a task creates.\n\nThe patch also provides four new credentials handling functions, which wrap the\nLSM functions:\n\n (1) prepare_kernel_cred()\n\n Prepare a set of credentials for a kernel service to use, based either on\n a daemon\u0027s credentials or on init_cred. All the keyrings are cleared.\n\n (2) set_security_override()\n\n Set the LSM security ID in a set of credentials to a specific security\n context, assuming permission from the LSM policy.\n\n (3) set_security_override_from_ctx()\n\n As (2), but takes the security context as a string.\n\n (4) set_create_files_as()\n\n Set the file creation LSM security ID in a set of credentials to be the\n same as that on a particular inode.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e [Smack changes]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "745ca2475a6ac596e3d8d37c2759c0fbe2586227", "tree": "f87c34bdfbc8542477b16a014bbb4e3b415b286a", "parents": [ "88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:22 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:22 2008 +1100" }, "message": "CRED: Pass credentials through dentry_open()\n\nPass credentials through dentry_open() so that the COW creds patch can have\nSELinux\u0027s flush_unauthorized_files() pass the appropriate creds back to itself\nwhen it opens its null chardev.\n\nThe security_dentry_open() call also now takes a creds pointer, as does the\ndentry_open hook in struct security_operations.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1752eec6145c97163dbce62d17cf5d928e28a27", "tree": "16bc51166d38815092de36a461b845b0b4b522f9", "parents": [ "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "message": "CRED: Detach the credentials from task_struct\n\nDetach the credentials from task_struct, duplicating them in copy_process()\nand releasing them in __put_task_struct().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15a2460ed0af7538ca8e6c610fe607a2cd9da142", "tree": "3611bc03e9c30fe0d11454f6966e6b0ca7f1dbd0", "parents": [ "1cdcbec1a3372c0c49c59d292e708fd07b509f18" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:15 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:15 2008 +1100" }, "message": "CRED: Constify the kernel_cap_t arguments to the capset LSM hooks\n\nConstify the kernel_cap_t arguments to the capset LSM hooks.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1cdcbec1a3372c0c49c59d292e708fd07b509f18", "tree": "d1bd302c8d66862da45b494cbc766fb4caa5e23e", "parents": [ "8bbf4976b59fc9fc2861e79cab7beb3f6d647640" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "CRED: Neuter sys_capset()\n\nTake away the ability for sys_capset() to affect processes other than current.\n\nThis means that current will not need to lock its own credentials when reading\nthem against interference by other processes.\n\nThis has effectively been the case for a while anyway, since:\n\n (1) Without LSM enabled, sys_capset() is disallowed.\n\n (2) With file-based capabilities, sys_capset() is neutered.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "06112163f5fd9e491a7f810443d81efa9d88e247", "tree": "48039f7488abbec36c0982a57405b57d47311dd6", "parents": [ "637d32dc720897616e8a1a4f9e9609e29d431800" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 22:02:50 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 22:02:50 2008 +1100" }, "message": "Add a new capable interface that will be used by systems that use audit to\nmake an A or B type decision instead of a security decision. Currently\nthis is the case at least for filesystems when deciding if a process can use\nthe reserved \u0027root\u0027 blocks and for the case of things like the oom\nalgorithm determining if processes are root processes and should be less\nlikely to be killed. These types of security system requests should not be\naudited or logged since they are not really security decisions. It would be\npossible to solve this problem like the vm_enough_memory security check did\nby creating a new LSM interface and moving all of the policy into that\ninterface but proves the needlessly bloat the LSM and provide complex\nindirection.\n\nThis merely allows those decisions to be made where they belong and to not\nflood logs or printk with denials for thing that are not security decisions.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "731572d39fcd3498702eda4600db4c43d51e0b26", "tree": "f892907ae20539845f353d72d2a2bf202b67e007", "parents": [ "6c89161b10f5771ee0b51ada0fce0e8835e72ade" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Wed Oct 29 14:01:20 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 30 11:38:47 2008 -0700" }, "message": "nfsd: fix vm overcommit crash\n\nJunjiro R. Okajima reported a problem where knfsd crashes if you are\nusing it to export shmemfs objects and run strict overcommit. In this\nsituation the current-\u003emm based modifier to the overcommit goes through a\nNULL pointer.\n\nWe could simply check for NULL and skip the modifier but we\u0027ve caught\nother real bugs in the past from mm being NULL here - cases where we did\nneed a valid mm set up (eg the exec bug about a year ago).\n\nTo preserve the checks and get the logic we want shuffle the checking\naround and add a new helper to the vm_ security wrappers\n\nAlso fix a current-\u003emm reference in nommu that should use the passed mm\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: fix build]\nReported-by: Junjiro R. Okajima \u003chooanon05@yahoo.co.jp\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "da31894ed7b654e2e1741e7ac4ef6c15be0dd14b", "tree": "7247357082b105a4aab13a2fb7dad73886f1a9e5", "parents": [ "86d688984deefa3ae5a802880c11f2b408b5d6cf" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Aug 22 11:35:57 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:42 2008 +1000" }, "message": "securityfs: do not depend on CONFIG_SECURITY\n\nAdd a new Kconfig option SECURITYFS which will build securityfs support\nbut does not require CONFIG_SECURITY. The only current user of\nsecurityfs does not depend on CONFIG_SECURITY and there is no reason the\nfull LSM needs to be built to build this fs.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5e186b57e7ede86aeb9db30e66315bde4e8b1815", "tree": "12f5057890c96b344165c65bba932d34562534fc", "parents": [ "b09c3e3f1710b554348c98e78fbf4a661918779a" ], "author": { "name": "Alexander Beregalov", "email": "a.beregalov@gmail.com", "time": "Sun Aug 17 05:34:20 2008 +0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Aug 17 22:47:30 2008 +1000" }, "message": "security.h: fix build failure\n\nsecurity.h: fix build failure\n\ninclude/linux/security.h: In function \u0027security_ptrace_traceme\u0027:\ninclude/linux/security.h:1760: error: \u0027parent\u0027 undeclared (first use in this function)\n\nSigned-off-by: Alexander Beregalov \u003ca.beregalov@gmail.com\u003e\nTested-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5cd9c58fbe9ec92b45b27e131719af4f2bd9eb40", "tree": "8573db001b4dc3c2ad97102dda42b841c40b5f6c", "parents": [ "8d0968abd03ec6b407df117adc773562386702fa" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 14 11:37:28 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 14 22:59:43 2008 +1000" }, "message": "security: Fix setting of PF_SUPERPRIV by __capable()\n\nFix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags\nthe target process if that is not the current process and it is trying to\nchange its own flags in a different way at the same time.\n\n__capable() is using neither atomic ops nor locking to protect t-\u003eflags. This\npatch removes __capable() and introduces has_capability() that doesn\u0027t set\nPF_SUPERPRIV on the process being queried.\n\nThis patch further splits security_ptrace() in two:\n\n (1) security_ptrace_may_access(). This passes judgement on whether one\n process may access another only (PTRACE_MODE_ATTACH for ptrace() and\n PTRACE_MODE_READ for /proc), and takes a pointer to the child process.\n current is the parent.\n\n (2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,\n and takes only a pointer to the parent process. current is the child.\n\n In Smack and commoncap, this uses has_capability() to determine whether\n the parent will be permitted to use PTRACE_ATTACH if normal checks fail.\n This does not set PF_SUPERPRIV.\n\nTwo of the instances of __capable() actually only act on current, and so have\nbeen changed to calls to capable().\n\nOf the places that were using __capable():\n\n (1) The OOM killer calls __capable() thrice when weighing the killability of a\n process. All of these now use has_capability().\n\n (2) cap_ptrace() and smack_ptrace() were using __capable() to check to see\n whether the parent was allowed to trace any process. As mentioned above,\n these have been split. For PTRACE_ATTACH and /proc, capable() is now\n used, and for PTRACE_TRACEME, has_capability() is used.\n\n (3) cap_safe_nice() only ever saw current, so now uses capable().\n\n (4) smack_setprocattr() rejected accesses to tasks other than current just\n after calling __capable(), so the order of these two tests have been\n switched and capable() is used instead.\n\n (5) In smack_file_send_sigiotask(), we need to allow privileged processes to\n receive SIGIO on files they\u0027re manipulating.\n\n (6) In smack_task_wait(), we let a process wait for a privileged process,\n whether or not the process doing the waiting is privileged.\n\nI\u0027ve tested this with the LTP SELinux and syscalls testscripts.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b77b0646ef4efe31a7449bb3d9360fd00f95433d", "tree": "f8487fe832fbe23400c9f98e808555f0251fb158", "parents": [ "a110343f0d6d41f68b7cf8c00b57a3172c67f816" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jul 17 09:37:02 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 26 20:53:22 2008 -0400" }, "message": "[PATCH] pass MAY_OPEN to vfs_permission() explicitly\n\n... and get rid of the last \"let\u0027s deduce mask from nameidata-\u003eflags\"\nbit.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "9b3e43a747c74029b0acf6acf4666601f132f471", "tree": "9c27118c353f9742d9715b30ec30060dd095b492", "parents": [ "84aaa7ab4c40b66d6dd9aa393901551ad50ec640" ], "author": { "name": "Hugh Dickins", "email": "hugh@veritas.com", "time": "Wed Jul 23 21:28:26 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jul 24 10:47:22 2008 -0700" }, "message": "security: remove unused forwards\n\nWhy would linux/security.h need forward declarations for nfsctl_arg and\nswap_info_struct? It\u0027s hard to imagine: remove them.\n\nSigned-off-by: Hugh Dickins \u003chugh@veritas.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6f0f0fd496333777d53daff21a4e3b28c4d03a6d", "tree": "202de67376fce2547b44ae5b016d6424c3c7409c", "parents": [ "93cbace7a058bce7f99319ef6ceff4b78cf45051" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 10 17:02:07 2008 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:04:06 2008 +1000" }, "message": "security: remove register_security hook\n\nThe register security hook is no longer required, as the capability\nmodule is always registered. LSMs wishing to stack capability as\na secondary module should do so explicitly.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n" }, { "commit": "b478a9f9889c81e88077d1495daadee64c0af541", "tree": "d1a843fab53dd4b28b45172ba0b90417c4eefc48", "parents": [ "2069f457848f846cb31149c9aa29b330a6b66d1b" ], "author": { "name": "Miklos Szeredi", "email": "mszeredi@suse.cz", "time": "Thu Jul 03 20:56:04 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:05 2008 +1000" }, "message": "security: remove unused sb_get_mnt_opts hook\n\nThe sb_get_mnt_opts() hook is unused, and is superseded by the\nsb_show_options() hook.\n\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2069f457848f846cb31149c9aa29b330a6b66d1b", "tree": "199e7bb15e7d7b5cf008cd6fdb6cefc0d6af7f13", "parents": [ "811f3799279e567aa354c649ce22688d949ac7a9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 04 09:47:13 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:05 2008 +1000" }, "message": "LSM/SELinux: show LSM mount options in /proc/mounts\n\nThis patch causes SELinux mount options to show up in /proc/mounts. As\nwith other code in the area seq_put errors are ignored. Other LSM\u0027s\nwill not have their mount options displayed until they fill in their own\nsecurity_sb_show_options() function.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "006ebb40d3d65338bd74abb03b945f8d60e362bd", "tree": "c548c678b54b307e1fb9acf94676fb7bfd849501", "parents": [ "feb2a5b82d87fbdc01c00b7e9413e4b5f4c1f0c1" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon May 19 08:32:49 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:47 2008 +1000" }, "message": "Security: split proc ptrace checking into read vs. attach\n\nEnable security modules to distinguish reading of process state via\nproc from full ptrace access by renaming ptrace_may_attach to\nptrace_may_access and adding a mode argument indicating whether only\nread access or full attach access is requested. This allows security\nmodules to permit access to reading process state without granting\nfull ptrace access. The base DAC/capability checking remains unchanged.\n\nRead access to /proc/pid/mem continues to apply a full ptrace attach\ncheck since check_mem_permission() already requires the current task\nto already be ptracing the target. The other ptrace checks within\nproc for elements like environ, maps, and fds are changed to pass the\nread mode instead of attach.\n\nIn the SELinux case, we model such reading of process state as a\nreading of a proc file labeled with the target process\u0027 label. This\nenables SELinux policy to permit such reading of process state without\npermitting control or manipulation of the target process, as there are\na number of cases where programs probe for such information via proc\nbut do not need to be able to control the target (e.g. procps,\nlsof, PolicyKit, ConsoleKit). At present we have to choose between\nallowing full ptrace in policy (more permissive than required/desired)\nor breaking functionality (or in some cases just silencing the denials\nvia dontaudit rules but this can hide genuine attacks).\n\nThis version of the patch incorporates comments from Casey Schaufler\n(change/replace existing ptrace_may_attach interface, pass access\nmode), and Chris Wright (provide greater consistency in the checking).\n\nNote that like their predecessors __ptrace_may_attach and\nptrace_may_attach, the __ptrace_may_access and ptrace_may_access\ninterfaces use different return value conventions from each other (0\nor -errno vs. 1 or 0). I retained this difference to avoid any\nchanges to the caller logic but made the difference clearer by\nchanging the latter interface to return a bool rather than an int and\nby adding a comment about it to ptrace.h for any future callers.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7bf570dc8dcf76df2a9f583bef2da96d4289ed0d", "tree": "b60a62585dfe511d9216cdd4a207fd07df1b2f99", "parents": [ "7663c1e2792a9662b23dec6e19bfcd3d55360b8f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 20:52:51 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 13:22:56 2008 -0700" }, "message": "Security: Make secctx_to_secid() take const secdata\n\nMake secctx_to_secid() take constant secdata.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "70a5bb72b55e82fbfbf1e22cae6975fac58a1e2d", "tree": "8e6dcaf5630388d81b23845f293789f2d6a3596b", "parents": [ "4a38e122e2cc6294779021ff4ccc784a3997059e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:26 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: add keyctl function to get a security label\n\nAdd a keyctl() function to get the security label of a key.\n\nThe following is added to Documentation/keys.txt:\n\n (*) Get the LSM security context attached to a key.\n\n\tlong keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,\n\t\t size_t buflen)\n\n This function returns a string that represents the LSM security context\n attached to a key in the buffer provided.\n\n Unless there\u0027s an error, it always returns the amount of data it could\n produce, even if that\u0027s too big for the buffer, but it won\u0027t copy more\n than requested to userspace. If the buffer pointer is NULL then no copy\n will take place.\n\n A NUL character is included at the end of the string if the buffer is\n sufficiently big. This is included in the returned count. If no LSM is\n in force then an empty string will be returned.\n\n A process must have view permission on the key for this function to be\n successful.\n\n[akpm@linux-foundation.org: declare keyctl_get_security()]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8f0cfa52a1d4ffacd8e7de906d19662f5da58d58", "tree": "2aa82e3682e75330d9b5d601855e3af3c57c03d8", "parents": [ "7ec02ef1596bb3c829a7e8b65ebf13b87faf1819" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 00:59:41 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:06 2008 -0700" }, "message": "xattr: add missing consts to function arguments\n\nAdd missing consts to xattr function arguments.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cfd299dffe6f47c04c47b95893708cdc65876fbd", "tree": "469eb611cdda8ee2b0775e018756be8df2d3ffd4", "parents": [ "6b8588f71890fba78742f90e22390028a6cd706f", "c9b7b9793764b171a118d049d4b721a7f5d8ac82" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 28 10:08:49 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 28 10:08:49 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:\n SELinux: Fix a RCU free problem with the netport cache\n SELinux: Made netnode cache adds faster\n SELinux: include/security.h whitespace, syntax, and other cleanups\n SELinux: policydb.h whitespace, syntax, and other cleanups\n SELinux: mls_types.h whitespace, syntax, and other cleanups\n SELinux: mls.h whitespace, syntax, and other cleanups\n SELinux: hashtab.h whitespace, syntax, and other cleanups\n SELinux: context.h whitespace, syntax, and other cleanups\n SELinux: ss/conditional.h whitespace, syntax, and other cleanups\n SELinux: selinux/include/security.h whitespace, syntax, and other cleanups\n SELinux: objsec.h whitespace, syntax, and other cleanups\n SELinux: netlabel.h whitespace, syntax, and other cleanups\n SELinux: avc_ss.h whitespace, syntax, and other cleanups\n\nFixed up conflict in include/linux/security.h manually\n" }, { "commit": "3898b1b4ebff8dcfbcf1807e0661585e06c9a91c", "tree": "69a338864dfe654f68064a599c5d0da460df34ac", "parents": [ "4016a1390d07f15b267eecb20e76a48fd5c524ef" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Mon Apr 28 02:13:40 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 28 08:58:26 2008 -0700" }, "message": "capabilities: implement per-process securebits\n\nFilesystem capability support makes it possible to do away with (set)uid-0\nbased privilege and use capabilities instead. That is, with filesystem\nsupport for capabilities but without this present patch, it is (conceptually)\npossible to manage a system with capabilities alone and never need to obtain\nprivilege via (set)uid-0.\n\nOf course, conceptually isn\u0027t quite the same as currently possible since few\nuser applications, certainly not enough to run a viable system, are currently\nprepared to leverage capabilities to exercise privilege. Further, many\napplications exist that may never get upgraded in this way, and the kernel\nwill continue to want to support their setuid-0 base privilege needs.\n\nWhere pure-capability applications evolve and replace setuid-0 binaries, it is\ndesirable that there be a mechanisms by which they can contain their\nprivilege. In addition to leveraging the per-process bounding and inheritable\nsets, this should include suppressing the privilege of the uid-0 superuser\nfrom the process\u0027 tree of children.\n\nThe feature added by this patch can be leveraged to suppress the privilege\nassociated with (set)uid-0. This suppression requires CAP_SETPCAP to\ninitiate, and only immediately affects the \u0027current\u0027 process (it is inherited\nthrough fork()/exec()). This reimplementation differs significantly from the\nhistorical support for securebits which was system-wide, unwieldy and which\nhas ultimately withered to a dead relic in the source of the modern kernel.\n\nWith this patch applied a process, that is capable(CAP_SETPCAP), can now drop\nall legacy privilege (through uid\u003d0) for itself and all subsequently\nfork()\u0027d/exec()\u0027d children with:\n\n prctl(PR_SET_SECUREBITS, 0x2f);\n\nThis patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is\nenabled at configure time.\n\n[akpm@linux-foundation.org: fix uninitialised var warning]\n[serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7b41b1733ca1d3278c8eb891e17905d7d54f5bfa", "tree": "1b4da0efe26a2d91829c8f7b8995a6740c96056f", "parents": [ "489a5fd7198d2d2368dd5cf697c841ea4d61ddd1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 23 14:10:25 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 28 09:29:08 2008 +1000" }, "message": "SELinux: include/security.h whitespace, syntax, and other cleanups\n\nThis patch changes include/security.h to fix whitespace and syntax issues. Things that\nare fixed may include (does not not have to include)\n\nwhitespace at end of lines\nspaces followed by tabs\nspaces used instead of tabs\nspacing around parenthesis\nlocation of { around structs and else clauses\nlocation of * in pointer declarations\nremoval of initialization of static data to keep it in the right section\nuseless {} in if statemetns\nuseless checking for NULL before kfree\nfixing of the indentation depth of switch statements\nno assignments in if statements\ninclude spaces around , in function calls\nand any number of other things I forgot to mention\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b5266eb4c8d1a2887a19aaec8144ee4ad1b054c3", "tree": "37105d0640169ad758d20847cf3effe77381f50f", "parents": [ "1a60a280778ff90270fc7390d9ec102f713a5a29" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Mar 22 17:48:24 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Apr 21 23:13:23 2008 -0400" }, "message": "[PATCH] switch a bunch of LSM hooks from nameidata to path\n\nNamely, ones from namespace.c\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3925e6fc1f774048404fdd910b0345b06c699eb4", "tree": "c9a58417d9492f39f7fe81d4721d674c34dd8be2", "parents": [ "334d094504c2fe1c44211ecb49146ae6bca8c321", "7cea51be4e91edad05bd834f3235b45c57783f0d" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 18 18:18:30 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 18 18:18:30 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n security: fix up documentation for security_module_enable\n Security: Introduce security\u003d boot parameter\n Audit: Final renamings and cleanup\n SELinux: use new audit hooks, remove redundant exports\n Audit: internally use the new LSM audit hooks\n LSM/Audit: Introduce generic Audit LSM hooks\n SELinux: remove redundant exports\n Netlink: Use generic LSM hook\n Audit: use new LSM hooks instead of SELinux exports\n SELinux: setup new inode/ipc getsecid hooks\n LSM: Introduce inode_getsecid and ipc_getsecid hooks\n" }, { "commit": "076c54c5bcaed2081c0cba94a6f77c4d470236ad", "tree": "5e8f05cab20a49922618bb3af697a6b46e610eee", "parents": [ "04305e4aff8b0533dc05f9f6f1a34d0796bd985f" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Thu Mar 06 18:09:10 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 19 10:00:51 2008 +1000" }, "message": "Security: Introduce security\u003d boot parameter\n\nAdd the security\u003d boot parameter. This is done to avoid LSM\nregistration clashes in case of more than one bult-in module.\n\nUser can choose a security module to enable at boot. If no\nsecurity\u003d boot parameter is specified, only the first LSM\nasking for registration will be loaded. An invalid security\nmodule name will be treated as if no module has been chosen.\n\nLSM modules must check now if they are allowed to register\nby calling security_module_enable(ops) first. Modify SELinux\nand SMACK to do so.\n\nDo not let SMACK register smackfs if it was not chosen on\nboot. Smackfs assumes that smack hooks are registered and\nthe initial task security setup (swapper-\u003esecurity) is done.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "03d37d25e0f91b28c4b6d002be6221f1af4b19d8", "tree": "de56538f7b6e7623d7cee2b0fcdc8f9764957252", "parents": [ "6b89a74be0fbbc6cc639d5cf7dcf8e6ee0f120a7" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Sat Mar 01 22:00:05 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 19 09:52:36 2008 +1000" }, "message": "LSM/Audit: Introduce generic Audit LSM hooks\n\nIntroduce a generic Audit interface for security modules\nby adding the following new LSM hooks:\n\naudit_rule_init(field, op, rulestr, lsmrule)\naudit_rule_known(krule)\naudit_rule_match(secid, field, op, rule, actx)\naudit_rule_free(rule)\n\nThose hooks are only available if CONFIG_AUDIT is enabled.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\n" }, { "commit": "8a076191f373abaeb4aa5f6755d22e49db98940f", "tree": "1311a11332abb0828999a7347a07509a68dffb5f", "parents": [ "d1a4be630fb068f251d64b62919f143c49ca8057" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Sat Mar 01 21:51:09 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 19 09:52:32 2008 +1000" }, "message": "LSM: Introduce inode_getsecid and ipc_getsecid hooks\n\nIntroduce inode_getsecid(inode, secid) and ipc_getsecid(ipcp, secid)\nLSM hooks. These hooks will be used instead of similar exported\nSELinux interfaces.\n\nLet {inode,ipc,task}_getsecid hooks set the secid to 0 by default\nif CONFIG_SECURITY is not defined or if the hook is set to\nNULL (dummy). This is done to notify the caller that no valid\nsecid exists.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\n" }, { "commit": "03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b", "tree": "1e7f291ac6bd0c1f3a95e8252c32fcce7ff47ea7", "parents": [ "00447872a643787411c2c0cb1df6169dda8b0c47" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Sat Apr 12 19:07:52 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 12 19:07:52 2008 -0700" }, "message": "LSM: Make the Labeled IPsec hooks more stack friendly\n\nThe xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs\non the stack to work around the LSM API. This patch attempts to fix that\nproblem by changing the LSM API to require only the relevant \"security\"\npointers instead of the entire SPD entry; we do this for all of the\nsecurity_xfrm_policy*() functions to keep things consistent.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "aedb60a67c10a0861af179725d060765262ba0fb", "tree": "4a4a316f9f7d1ab0bf4da2cdd5c802bfb05c947f", "parents": [ "457fb605834504af294916411be128a9b21fc3f6" ], "author": { "name": "Serge Hallyn", "email": "serge@hallyn.com", "time": "Fri Feb 29 15:14:57 2008 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 20 09:46:36 2008 -0700" }, "message": "file capabilities: remove cap_task_kill()\n\nThe original justification for cap_task_kill() was as follows:\n\n\tcheck_kill_permission() does appropriate uid equivalence checks.\n\tHowever with file capabilities it becomes possible for an\n\tunprivileged user to execute a file with file capabilities\n\tresulting in a more privileged task with the same uid.\n\nHowever now that cap_task_kill() always returns 0 (permission\ngranted) when p-\u003euid\u003d\u003dcurrent-\u003euid, the whole hook is worthless,\nand only likely to create more subtle problems in the corner cases\nwhere it might still be called but return -EPERM. Those cases\nare basically when uids are different but euid/suid is equivalent\nas per the check in check_kill_permission().\n\nOne example of a still-broken application is \u0027at\u0027 for non-root users.\n\nThis patch removes cap_task_kill().\n\nSigned-off-by: Serge Hallyn \u003cserge@hallyn.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nEarlier-version-tested-by: Luiz Fernando N. Capitulino \u003clcapitulino@mandriva.com.br\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e0007529893c1c064be90bd21422ca0da4a0198e", "tree": "c2334ba940e682183a18d18972cf95bd3a3da46a", "parents": [ "29e8c3c304b62f31b799565c9ee85d42bd163f80" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 05 10:31:54 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 06 08:40:53 2008 +1100" }, "message": "LSM/SELinux: Interfaces to allow FS to control mount options\n\nIntroduce new LSM interfaces to allow an FS to deal with their own mount\noptions. This includes a new string parsing function exported from the\nLSM that an FS can use to get a security data blob and a new security\ndata blob. This is particularly useful for an FS which uses binary\nmount data, like NFS, which does not pass strings into the vfs to be\nhandled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK\nwhen dealing with binary mount data. If the binary mount data is less\nthan one page the copy_page() in security_sb_copy_data() can cause an\nillegal page fault and boom. Remove all NFSisms from the SELinux code\nsince they were broken by past NFS changes.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3b7391de67da515c91f48aa371de77cb6cc5c07e", "tree": "22b9f5d9d1c36b374eb5765219aca3c7e1f23486", "parents": [ "46c383cc4530ccc438cb325e92e11eb21dd3d4fc" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Feb 04 22:29:45 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "capabilities: introduce per-process capability bounding set\n\nThe capability bounding set is a set beyond which capabilities cannot grow.\n Currently cap_bset is per-system. It can be manipulated through sysctl,\nbut only init can add capabilities. Root can remove capabilities. By\ndefault it includes all caps except CAP_SETPCAP.\n\nThis patch makes the bounding set per-process when file capabilities are\nenabled. It is inherited at fork from parent. Noone can add elements,\nCAP_SETPCAP is required to remove them.\n\nOne example use of this is to start a safer container. For instance, until\ndevice namespaces or per-container device whitelists are introduced, it is\nbest to take CAP_MKNOD away from a container.\n\nThe bounding set will not affect pP and pE immediately. It will only\naffect pP\u0027 and pE\u0027 after subsequent exec()s. It also does not affect pI,\nand exec() does not constrain pI\u0027. So to really start a shell with no way\nof regain CAP_MKNOD, you would do\n\n\tprctl(PR_CAPBSET_DROP, CAP_MKNOD);\n\tcap_t cap \u003d cap_get_proc();\n\tcap_value_t caparray[1];\n\tcaparray[0] \u003d CAP_MKNOD;\n\tcap_set_flag(cap, CAP_INHERITABLE, 1, caparray, CAP_DROP);\n\tcap_set_proc(cap);\n\tcap_free(cap);\n\nThe following test program will get and set the bounding\nset (but not pI). For instance\n\n\t./bset get\n\t\t(lists capabilities in bset)\n\t./bset drop cap_net_raw\n\t\t(starts shell with new bset)\n\t\t(use capset, setuid binary, or binary with\n\t\tfile capabilities to try to increase caps)\n\n************************************************************\ncap_bound.c\n************************************************************\n #include \u003csys/prctl.h\u003e\n #include \u003clinux/capability.h\u003e\n #include \u003csys/types.h\u003e\n #include \u003cunistd.h\u003e\n #include \u003cstdio.h\u003e\n #include \u003cstdlib.h\u003e\n #include \u003cstring.h\u003e\n\n #ifndef PR_CAPBSET_READ\n #define PR_CAPBSET_READ 23\n #endif\n\n #ifndef PR_CAPBSET_DROP\n #define PR_CAPBSET_DROP 24\n #endif\n\nint usage(char *me)\n{\n\tprintf(\"Usage: %s get\\n\", me);\n\tprintf(\" %s drop \u003ccapability\u003e\\n\", me);\n\treturn 1;\n}\n\n #define numcaps 32\nchar *captable[numcaps] \u003d {\n\t\"cap_chown\",\n\t\"cap_dac_override\",\n\t\"cap_dac_read_search\",\n\t\"cap_fowner\",\n\t\"cap_fsetid\",\n\t\"cap_kill\",\n\t\"cap_setgid\",\n\t\"cap_setuid\",\n\t\"cap_setpcap\",\n\t\"cap_linux_immutable\",\n\t\"cap_net_bind_service\",\n\t\"cap_net_broadcast\",\n\t\"cap_net_admin\",\n\t\"cap_net_raw\",\n\t\"cap_ipc_lock\",\n\t\"cap_ipc_owner\",\n\t\"cap_sys_module\",\n\t\"cap_sys_rawio\",\n\t\"cap_sys_chroot\",\n\t\"cap_sys_ptrace\",\n\t\"cap_sys_pacct\",\n\t\"cap_sys_admin\",\n\t\"cap_sys_boot\",\n\t\"cap_sys_nice\",\n\t\"cap_sys_resource\",\n\t\"cap_sys_time\",\n\t\"cap_sys_tty_config\",\n\t\"cap_mknod\",\n\t\"cap_lease\",\n\t\"cap_audit_write\",\n\t\"cap_audit_control\",\n\t\"cap_setfcap\"\n};\n\nint getbcap(void)\n{\n\tint comma\u003d0;\n\tunsigned long i;\n\tint ret;\n\n\tprintf(\"i know of %d capabilities\\n\", numcaps);\n\tprintf(\"capability bounding set:\");\n\tfor (i\u003d0; i\u003cnumcaps; i++) {\n\t\tret \u003d prctl(PR_CAPBSET_READ, i);\n\t\tif (ret \u003c 0)\n\t\t\tperror(\"prctl\");\n\t\telse if (ret\u003d\u003d1)\n\t\t\tprintf(\"%s%s\", (comma++) ? \", \" : \" \", captable[i]);\n\t}\n\tprintf(\"\\n\");\n\treturn 0;\n}\n\nint capdrop(char *str)\n{\n\tunsigned long i;\n\n\tint found\u003d0;\n\tfor (i\u003d0; i\u003cnumcaps; i++) {\n\t\tif (strcmp(captable[i], str) \u003d\u003d 0) {\n\t\t\tfound\u003d1;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (!found)\n\t\treturn 1;\n\tif (prctl(PR_CAPBSET_DROP, i)) {\n\t\tperror(\"prctl\");\n\t\treturn 1;\n\t}\n\treturn 0;\n}\n\nint main(int argc, char *argv[])\n{\n\tif (argc\u003c2)\n\t\treturn usage(argv[0]);\n\tif (strcmp(argv[1], \"get\")\u003d\u003d0)\n\t\treturn getbcap();\n\tif (strcmp(argv[1], \"drop\")!\u003d0 || argc\u003c3)\n\t\treturn usage(argv[0]);\n\tif (capdrop(argv[2])) {\n\t\tprintf(\"unknown capability\\n\");\n\t\treturn 1;\n\t}\n\treturn execl(\"/bin/bash\", \"/bin/bash\", NULL);\n}\n************************************************************\n\n[serue@us.ibm.com: fix typo]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003ea\nSigned-off-by: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nTested-by: Jiri Slaby \u003cjirislaby@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "42492594043d621a7910ff5877c3eb9202870b45", "tree": "9188d112c019a189606847dc1d90ccc63c1bacf2", "parents": [ "3729145821e3088a0c3c4183037fde356204bf97" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Mon Feb 04 22:29:39 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "VFS/Security: Rework inode_getsecurity and callers to return resulting buffer\n\nThis patch modifies the interface to inode_getsecurity to have the function\nreturn a buffer containing the security blob and its length via parameters\ninstead of relying on the calling function to give it an appropriately sized\nbuffer.\n\nSecurity blobs obtained with this function should be freed using the\nrelease_secctx LSM hook. This alleviates the problem of the caller having to\nguess a length and preallocate a buffer for this function allowing it to be\nused elsewhere for Labeled NFS.\n\nThe patch also removed the unused err parameter. The conversion is similar to\nthe one performed by Al Viro for the security_getprocattr hook.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1996a10948e50e546dc2b64276723c0b64d3173b", "tree": "971b235907b7c6911c21c9139e0ba85c5b84ef80", "parents": [ "63cb34492351078479b2d4bae6a881806a396286" ], "author": { "name": "Jan Engelhardt", "email": "jengelh@computergmbh.de", "time": "Wed Jan 23 00:02:58 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:54 2008 +1100" }, "message": "security/selinux: constify function pointer tables and fields\n\nConstify function pointer tables and fields.\n\nSigned-off-by: Jan Engelhardt \u003cjengelh@computergmbh.de\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "63cb34492351078479b2d4bae6a881806a396286", "tree": "d33ab15eda40c5195c4a723d9e49591a9b4950f9", "parents": [ "c43e259cc756ece387faae849af0058b56d78466" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 15 23:47:35 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:53 2008 +1100" }, "message": "security: add a secctx_to_secid() hook\n\nAdd a secctx_to_secid() LSM hook to go along with the existing\nsecid_to_secctx() LSM hook. This patch also includes the SELinux\nimplementation for this hook.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bced95283e9434611cbad8f2ff903cd396eaea72", "tree": "5d56afc7a5f239ebc53a1800a508f16b8d8701b0", "parents": [ "42d7896ebc5f7268b1fe6bbd20f2282e20ae7895" ], "author": { "name": "H. Peter Anvin", "email": "hpa@zytor.com", "time": "Sat Dec 29 16:20:25 2007 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:50 2008 +1100" }, "message": "security: remove security_sb_post_mountroot hook\n\nThe security_sb_post_mountroot() hook is long-since obsolete, and is\nfundamentally broken: it is never invoked if someone uses initramfs.\nThis is particularly damaging, because the existence of this hook has\nbeen used as motivation for not using initramfs.\n\nStephen Smalley confirmed on 2007-07-19 that this hook was originally\nused by SELinux but can now be safely removed:\n\n http://marc.info/?l\u003dlinux-kernel\u0026m\u003d118485683612916\u0026w\u003d2\n\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: H. Peter Anvin \u003chpa@zytor.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c9180a57a9ab2d5525faf8815a332364ee9e89b7", "tree": "c677ec33735f3529d478a2b71fcc732d4fe59adf", "parents": [ "19c5fc198c369bb00f3ed9716ef40648865d8d94" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Nov 30 13:00:35 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:46 2008 +1100" }, "message": "Security: add get, set, and cloning of superblock security information\n\nAdds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and\nsecurity_clont_sb_mnt_opts to the LSM and to SELinux. This will allow\nfilesystems to directly own and control all of their mount options if they\nso choose. This interface deals only with option identifiers and strings so\nit should generic enough for any LSM which may come in the future.\n\nFilesystems which pass text mount data around in the kernel (almost all of\nthem) need not currently make use of this interface when dealing with\nSELinux since it will still parse those strings as it always has. I assume\nfuture LSM\u0027s would do the same. NFS is the primary FS which does not use\ntext mount data and thus must make use of this interface.\n\nAn LSM would need to implement these functions only if they had mount time\noptions, such as selinux has context\u003d or fscontext\u003d. If the LSM has no\nmount time options they could simply not implement and let the dummy ops\ntake care of things.\n\nAn LSM other than SELinux would need to define new option numbers in\nsecurity.h and any FS which decides to own there own security options would\nneed to be patched to use this new interface for every possible LSM. This\nis because it was stated to me very clearly that LSM\u0027s should not attempt to\nunderstand FS mount data and the burdon to understand security should be in\nthe FS which owns the options.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6da34bae29f51c35b300d89c1bbfe96cdf44d4d5", "tree": "f89fe161a27bdd010c6016b54e9104730169c85f", "parents": [ "118e78d1cd7023c3b155f861072ba10df0265fda" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Sat Oct 20 00:53:30 2007 +0200" }, "committer": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Sat Oct 20 00:53:30 2007 +0200" }, "message": "fix up security_socket_getpeersec_* documentation\n\nUpdate the security_socket_peersec documentation in\ninclude/linux/security.h. security_socket_peersec has been split\ninto two functions - _stream and _dgram, with new capabilities.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\n" }, { "commit": "72c2d5823fc7be799a12184974c3bdc57acea3c4", "tree": "5c17418efb57cd5b2cdc0d751f577b2c64012423", "parents": [ "7058cb02ddab4bce70a46e519804fccb7ac0a060" ], "author": { "name": "Andrew Morgan", "email": "morgan@kernel.org", "time": "Thu Oct 18 03:05:59 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Oct 18 14:37:24 2007 -0700" }, "message": "V3 file capabilities: alter behavior of cap_setpcap\n\nThe non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,\ncan change the capabilities of another process, p2. This is not the\nmeaning that was intended for this capability at all, and this\nimplementation came about purely because, without filesystem capabilities,\nthere was no way to use capabilities without one process bestowing them on\nanother.\n\nSince we now have a filesystem support for capabilities we can fix the\nimplementation of CAP_SETPCAP.\n\nThe most significant thing about this change is that, with it in effect, no\nprocess can set the capabilities of another process.\n\nThe capabilities of a program are set via the capability convolution\nrules:\n\n pI(post-exec) \u003d pI(pre-exec)\n pP(post-exec) \u003d (X(aka cap_bset) \u0026 fP) | (pI(post-exec) \u0026 fI)\n pE(post-exec) \u003d fE ? pP(post-exec) : 0\n\nat exec() time. As such, the only influence the pre-exec() program can\nhave on the post-exec() program\u0027s capabilities are through the pI\ncapability set.\n\nThe correct implementation for CAP_SETPCAP (and that enabled by this patch)\nis that it can be used to add extra pI capabilities to the current process\n- to be picked up by subsequent exec()s when the above convolution rules\nare applied.\n\nHere is how it works:\n\nLet\u0027s say we have a process, p. It has capability sets, pE, pP and pI.\nGenerally, p, can change the value of its own pI to pI\u0027 where\n\n (pI\u0027 \u0026 ~pI) \u0026 ~pP \u003d 0.\n\nThat is, the only new things in pI\u0027 that were not present in pI need to\nbe present in pP.\n\nThe role of CAP_SETPCAP is basically to permit changes to pI beyond\nthe above:\n\n if (pE \u0026 CAP_SETPCAP) {\n pI\u0027 \u003d anything; /* ie., even (pI\u0027 \u0026 ~pI) \u0026 ~pP !\u003d 0 */\n }\n\nThis capability is useful for things like login, which (say, via\npam_cap) might want to raise certain inheritable capabilities for use\nby the children of the logged-in user\u0027s shell, but those capabilities\nare not useful to or needed by the login program itself.\n\nOne such use might be to limit who can run ping. You set the\ncapabilities of the \u0027ping\u0027 program to be \"\u003d cap_net_raw+i\", and then\nonly shells that have (pI \u0026 CAP_NET_RAW) will be able to run\nit. Without CAP_SETPCAP implemented as described above, login(pam_cap)\nwould have to also have (pP \u0026 CAP_NET_RAW) in order to raise this\ncapability and pass it on through the inheritable set.\n\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cbfee34520666862f8ff539e580c48958fbb7706", "tree": "ded5cafce333e908a0fbeda1f7c55eaf7c1fbaaa", "parents": [ "b53767719b6cd8789392ea3e7e2eb7b8906898f0" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Oct 16 23:31:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security/ cleanups\n\nThis patch contains the following cleanups that are now possible:\n- remove the unused security_operations-\u003einode_xattr_getsuffix\n- remove the no longer used security_operations-\u003eunregister_security\n- remove some no longer required exit code\n- remove a bunch of no longer used exports\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "tree": "a0279dc93c79b94d3865b0f19f6b7b353e20608c", "parents": [ "57c521ce6125e15e99e56c902cb8da96bee7b36d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Oct 16 23:31:36 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "Implement file posix capabilities\n\nImplement file posix capabilities. This allows programs to be given a\nsubset of root\u0027s powers regardless of who runs them, without having to use\nsetuid and giving the binary all of root\u0027s powers.\n\nThis version works with Kaigai Kohei\u0027s userspace tools, found at\nhttp://www.kaigai.gr.jp/index.php. For more information on how to use this\npatch, Chris Friedhoff has posted a nice page at\nhttp://www.friedhoff.org/fscaps.html.\n\nChangelog:\n\tNov 27:\n\tIncorporate fixes from Andrew Morton\n\t(security-introduce-file-caps-tweaks and\n\tsecurity-introduce-file-caps-warning-fix)\n\tFix Kconfig dependency.\n\tFix change signaling behavior when file caps are not compiled in.\n\n\tNov 13:\n\tIntegrate comments from Alexey: Remove CONFIG_ ifdef from\n\tcapability.h, and use %zd for printing a size_t.\n\n\tNov 13:\n\tFix endianness warnings by sparse as suggested by Alexey\n\tDobriyan.\n\n\tNov 09:\n\tAddress warnings of unused variables at cap_bprm_set_security\n\twhen file capabilities are disabled, and simultaneously clean\n\tup the code a little, by pulling the new code into a helper\n\tfunction.\n\n\tNov 08:\n\tFor pointers to required userspace tools and how to use\n\tthem, see http://www.friedhoff.org/fscaps.html.\n\n\tNov 07:\n\tFix the calculation of the highest bit checked in\n\tcheck_cap_sanity().\n\n\tNov 07:\n\tAllow file caps to be enabled without CONFIG_SECURITY, since\n\tcapabilities are the default.\n\tHook cap_task_setscheduler when !CONFIG_SECURITY.\n\tMove capable(TASK_KILL) to end of cap_task_kill to reduce\n\taudit messages.\n\n\tNov 05:\n\tAdd secondary calls in selinux/hooks.c to task_setioprio and\n\ttask_setscheduler so that selinux and capabilities with file\n\tcap support can be stacked.\n\n\tSep 05:\n\tAs Seth Arnold points out, uid checks are out of place\n\tfor capability code.\n\n\tSep 01:\n\tDefine task_setscheduler, task_setioprio, cap_task_kill, and\n\ttask_setnice to make sure a user cannot affect a process in which\n\tthey called a program with some fscaps.\n\n\tOne remaining question is the note under task_setscheduler: are we\n\tok with CAP_SYS_NICE being sufficient to confine a process to a\n\tcpuset?\n\n\tIt is a semantic change, as without fsccaps, attach_task doesn\u0027t\n\tallow CAP_SYS_NICE to override the uid equivalence check. But since\n\tit uses security_task_setscheduler, which elsewhere is used where\n\tCAP_SYS_NICE can be used to override the uid equivalence check,\n\tfixing it might be tough.\n\n\t task_setscheduler\n\t\t note: this also controls cpuset:attach_task. Are we ok with\n\t\t CAP_SYS_NICE being used to confine to a cpuset?\n\t task_setioprio\n\t task_setnice\n\t\t sys_setpriority uses this (through set_one_prio) for another\n\t\t process. Need same checks as setrlimit\n\n\tAug 21:\n\tUpdated secureexec implementation to reflect the fact that\n\teuid and uid might be the same and nonzero, but the process\n\tmight still have elevated caps.\n\n\tAug 15:\n\tHandle endianness of xattrs.\n\tEnforce capability version match between kernel and disk.\n\tEnforce that no bits beyond the known max capability are\n\tset, else return -EPERM.\n\tWith this extra processing, it may be worth reconsidering\n\tdoing all the work at bprm_set_security rather than\n\td_instantiate.\n\n\tAug 10:\n\tAlways call getxattr at bprm_set_security, rather than\n\tcaching it at d_instantiate.\n\n[morgan@kernel.org: file-caps clean up for linux/capability.h]\n[bunk@kernel.org: unexport cap_inode_killpriv]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "20510f2f4e2dabb0ff6c13901807627ec9452f98", "tree": "d64b9eeb90d577f7f9688a215c4c6c3c2405188a", "parents": [ "5c3b447457789374cdb7b03afe2540d48c649a36" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 16 23:31:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security: Convert LSM into a static interface\n\nConvert LSM into a static interface, as the ability to unload a security\nmodule is not required by in-tree users and potentially complicates the\noverall security architecture.\n\nNeedlessly exported LSM symbols have been unexported, to help reduce API\nabuse.\n\nParameters for the capability and root_plug modules are now specified\nat boot.\n\nThe SECURITY_FRAMEWORK_VERSION macro has also been removed.\n\nIn a nutshell, there is no safe way to unload an LSM. The modular interface\nis thus unecessary and broken infrastructure. It is used only by out-of-tree\nmodules, which are often binary-only, illegal, abusive of the API and\ndangerous, e.g. silently re-vectoring SELinux.\n\n[akpm@linux-foundation.org: cleanups]\n[akpm@linux-foundation.org: USB Kconfig fix]\n[randy.dunlap@oracle.com: fix LSM kernel-doc]\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nAcked-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "788e7dd4c22e6f41b3a118fd8c291f831f6fddbb", "tree": "cbe2d2a360aaf7dc243bef432e1c50507ae6db7b", "parents": [ "3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9" ], "author": { "name": "Yuichi Nakamura", "email": "ynakam@hitachisoft.jp", "time": "Fri Sep 14 09:27:07 2007 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 17 08:59:31 2007 +1000" }, "message": "SELinux: Improve read/write performance\n\nIt reduces the selinux overhead on read/write by only revalidating\npermissions in selinux_file_permission if the task or inode labels have\nchanged or the policy has changed since the open-time check. A new LSM\nhook, security_dentry_open, is added to capture the necessary state at open\ntime to allow this optimization.\n\n(see http://marc.info/?l\u003dselinux\u0026m\u003d118972995207740\u0026w\u003d2)\n\nSigned-off-by: Yuichi Nakamura\u003cynakam@hitachisoft.jp\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "34b4e4aa3c470ce8fa2bd78abb1741b4b58baad7", "tree": "91d620288f1aaf63c12dc84ca1015465818601f2", "parents": [ "afe1ab4d577892822de2c8e803fbfaed6ec44ba3" ], "author": { "name": "Alan Cox", "email": "alan@lxorguk.ukuu.org.uk", "time": "Wed Aug 22 14:01:28 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Aug 22 19:52:45 2007 -0700" }, "message": "fix NULL pointer dereference in __vm_enough_memory()\n\nThe new exec code inserts an accounted vma into an mm struct which is not\ncurrent-\u003emm. The existing memory check code has a hard coded assumption\nthat this does not happen as does the security code.\n\nAs the correct mm is known we pass the mm to the security method and the\nhelper function. A new security test is added for the case where we need\nto pass the mm and the existing one is modified to pass current-\u003emm to\navoid the need to change large amounts of code.\n\n(Thanks to Tobias for fixing rejects and testing)\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nCc: WU Fengguang \u003cwfg@mail.ustc.edu.cn\u003e\nCc: James Morris \u003cjmorris@redhat.com\u003e\nCc: Tobias Diedrich \u003cranma+kernel@tdiedrich.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ed0321895182ffb6ecf210e066d87911b270d587", "tree": "832bb54666f73b06e55322df40f915c5e9ef64d7", "parents": [ "13bddc2e9d591e31bf20020dc19ea6ca85de420e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jun 28 15:55:21 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 11 22:52:29 2007 -0400" }, "message": "security: Protection for exploiting null dereference using mmap\n\nAdd a new security check on mmap operations to see if the user is attempting\nto mmap to low area of the address space. The amount of space protected is\nindicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to\n0, preserving existing behavior.\n\nThis patch uses a new SELinux security class \"memprotect.\" Policy already\ncontains a number of allow rules like a_t self:process * (unconfined_t being\none of them) which mean that putting this check in the process class (its\nbest current fit) would make it useless as all user processes, which we also\nwant to protect against, would be allowed. By taking the memprotect name of\nthe new class it will also make it possible for us to move some of the other\nmemory protect permissions out of \u0027process\u0027 and into the new class next time\nwe bump the policy version number (which I also think is a good future idea)\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "59c51591a0ac7568824f541f57de967e88adaa07", "tree": "243d20eb0a26b76d5d312f39ec5a1ff60e036711", "parents": [ "02a3e59a088749c08b0293ee1535f5bf48f5926c" ], "author": { "name": "Michael Opdenacker", "email": "michael@free-electrons.com", "time": "Wed May 09 08:57:56 2007 +0200" }, "committer": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Wed May 09 08:57:56 2007 +0200" }, "message": "Fix occurrences of \"the the \"\n\nSigned-off-by: Michael Opdenacker \u003cmichael@free-electrons.com\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\n" }, { "commit": "04ff97086b1a3237bbd1fe6390fa80fe75207e23", "tree": "877e26055759d84a726c6bc68245bc6f9a4a5753", "parents": [ "c4823bce033be74c0fcfbcae2f1be0854fdc2e18" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Mon Mar 12 16:17:58 2007 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Mar 14 15:27:48 2007 -0700" }, "message": "[PATCH] sanitize security_getprocattr() API\n\nhave it return the buffer it had allocated\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "540473208f8ac71c25a87e1a2670c3c18dd4d6db", "tree": "716c6b412ebf3e232bd85da785315f888283d991", "parents": [ "f59e5e82096f81a2cb7d7833001956d81e9fa6fb" ], "author": { "name": "Arjan van de Ven", "email": "arjan@linux.intel.com", "time": "Mon Feb 12 00:55:28 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Feb 12 09:48:44 2007 -0800" }, "message": "[PATCH] mark struct file_operations const 1\n\nMany struct file_operations in the kernel can be \"const\". Marking them const\nmoves these to the .rodata section, which avoids false sharing with potential\ndirty data. In addition it\u0027ll catch accidental writes at compile time to\nthese shared resources.\n\nSigned-off-by: Arjan van de Ven \u003carjan@linux.intel.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b385a144ee790f00e8559bcb8024d042863f9be1", "tree": "c2f2df78805fe8eff006716cee7b8fa8010d3b62", "parents": [ "521dae191e5ba9362152da9fd3a12203e087df83" ], "author": { "name": "Robert P. J. Day", "email": "rpjday@mindspring.com", "time": "Sat Feb 10 01:46:25 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Sun Feb 11 11:18:06 2007 -0800" }, "message": "[PATCH] Replace regular code with appropriate calls to container_of()\n\nReplace a small number of expressions with a call to the \"container_of()\"\nmacro.\n\nSigned-off-by: Robert P. J. Day \u003crpjday@mindspring.com\u003e\nAcked-by: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "67f83cbf081a70426ff667e8d14f94e13ed3bdca", "tree": "776a40733eacb9071478f865e6791daa3f6fd602", "parents": [ "6b877699c6f1efede4545bcecc367786a472eedb" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:04:26 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:34 2006 -0800" }, "message": "SELinux: Fix SA selection semantics\n\nFix the selection of an SA for an outgoing packet to be at the same\ncontext as the originating socket/flow. This eliminates the SELinux\npolicy\u0027s ability to use/sendto SAs with contexts other than the socket\u0027s.\n\nWith this patch applied, the SELinux policy will require one or more of the\nfollowing for a socket to be able to communicate with/without SAs:\n\n1. To enable a socket to communicate without using labeled-IPSec SAs:\n\nallow socket_t unlabeled_t:association { sendto recvfrom }\n\n2. To enable a socket to communicate with labeled-IPSec SAs:\n\nallow socket_t self:association { sendto };\nallow socket_t peer_sa_t:association { recvfrom };\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6b877699c6f1efede4545bcecc367786a472eedb", "tree": "c0a60dc90578fa9f16d4496e2700bc285eab47c0", "parents": [ "c1a856c9640c9ff3d70bbd8214b6a0974609eef8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:04:09 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:33 2006 -0800" }, "message": "SELinux: Return correct context for SO_PEERSEC\n\nFix SO_PEERSEC for tcp sockets to return the security context of\nthe peer (as represented by the SA from the peer) as opposed to the\nSA used by the local/source socket.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c1a856c9640c9ff3d70bbd8214b6a0974609eef8", "tree": "76166bf784edd968ffac8c3dcc607d73580c509a", "parents": [ "e8db8c99100750ade5a9b4072b9469cab718a5b7" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:03:44 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:31 2006 -0800" }, "message": "SELinux: Various xfrm labeling fixes\n\nSince the upstreaming of the mlsxfrm modification a few months back,\ntesting has resulted in the identification of the following issues/bugs that\nare resolved in this patch set.\n\n1. Fix the security context used in the IKE negotiation to be the context\n of the socket as opposed to the context of the SPD rule.\n\n2. Fix SO_PEERSEC for tcp sockets to return the security context of\n the peer as opposed to the source.\n\n3. Fix the selection of an SA for an outgoing packet to be at the same\n context as the originating socket/flow.\n\nThe following would be the result of applying this patchset:\n\n- SO_PEERSEC will now correctly return the peer\u0027s context.\n\n- IKE deamons will receive the context of the source socket/flow\n as opposed to the SPD rule\u0027s context so that the negotiated SA\n will be at the same context as the source socket/flow.\n\n- The SELinux policy will require one or more of the\n following for a socket to be able to communicate with/without SAs:\n\n 1. To enable a socket to communicate without using labeled-IPSec SAs:\n\n allow socket_t unlabeled_t:association { sendto recvfrom }\n\n 2. To enable a socket to communicate with labeled-IPSec SAs:\n\n allow socket_t self:association { sendto };\n allow socket_t peer_sa_t:association { recvfrom };\n\nThis Patch: Pass correct security context to IKE for use in negotiation\n\nFix the security context passed to IKE for use in negotiation to be the\ncontext of the socket as opposed to the context of the SPD rule so that\nthe SA carries the label of the originating socket/flow.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5b368e61c2bcb2666bb66e2acf1d6d85ba6f474d", "tree": "293f595f737540a546ba186ba1f054389aa95f6f", "parents": [ "134b0fc544ba062498451611cb6f3e4454221b3d" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Thu Oct 05 15:42:18 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 11 23:59:37 2006 -0700" }, "message": "IPsec: correct semantics for SELinux policy matching\n\nCurrently when an IPSec policy rule doesn\u0027t specify a security\ncontext, it is assumed to be \"unlabeled\" by SELinux, and so\nthe IPSec policy rule fails to match to a flow that it would\notherwise match to, unless one has explicitly added an SELinux\npolicy rule allowing the flow to \"polmatch\" to the \"unlabeled\"\nIPSec policy rules. In the absence of such an explicitly added\nSELinux policy rule, the IPSec policy rule fails to match and\nso the packet(s) flow in clear text without the otherwise applicable\nxfrm(s) applied.\n\nThe above SELinux behavior violates the SELinux security notion of\n\"deny by default\" which should actually translate to \"encrypt by\ndefault\" in the above case.\n\nThis was first reported by Evgeniy Polyakov and the way James Morris\nwas seeing the problem was when connecting via IPsec to a\nconfined service on an SELinux box (vsftpd), which did not have the\nappropriate SELinux policy permissions to send packets via IPsec.\n\nWith this patch applied, SELinux \"polmatching\" of flows Vs. IPSec\npolicy rules will only come into play when there\u0027s a explicit context\nspecified for the IPSec policy rule (which also means there\u0027s corresponding\nSELinux policy allowing appropriate domains/flows to polmatch to this context).\n\nSecondly, when a security module is loaded (in this case, SELinux), the\nsecurity_xfrm_policy_lookup() hook can return errors other than access denied,\nsuch as -EINVAL. We were not handling that correctly, and in fact\ninverting the return logic and propagating a false \"ok\" back up to\nxfrm_lookup(), which then allowed packets to pass as if they were not\nassociated with an xfrm policy.\n\nThe solution for this is to first ensure that errno values are\ncorrectly propagated all the way back up through the various call chains\nfrom security_xfrm_policy_lookup(), and handled correctly.\n\nThen, flow_cache_lookup() is modified, so that if the policy resolver\nfails (typically a permission denied via the security module), the flow\ncache entry is killed rather than having a null policy assigned (which\nindicates that the packet can pass freely). This also forces any future\nlookups for the same flow to consult the security module (e.g. SELinux)\nfor current security policy (rather than, say, caching the error on the\nflow cache entry).\n\nThis patch: Fix the selinux side of things.\n\nThis makes sure SELinux polmatching of flow contexts to IPSec policy\nrules comes into play only when an explicit context is associated\nwith the IPSec policy rule.\n\nAlso, this no longer defaults the context of a socket policy to\nthe context of the socket since the \"no explicit context\" case\nis now handled properly.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "50462062a02226a698a211d5bd535376c89b8603", "tree": "07a34af458b338c609a35072b8c6fd1ed2a235a1", "parents": [ "cfe14677f286c9be5d683b88214def8f4b8a6f24" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Fri Sep 29 02:00:01 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 29 09:18:11 2006 -0700" }, "message": "[PATCH] fs.h: ifdef security fields\n\n[assuming BSD security levels are deleted]\nThe only user of i_security, f_security, s_security fields is SELinux,\nhowever, quite a few security modules are trying to get into kernel.\nSo, wrap them under CONFIG_SECURITY. Adding config option for each\nsecurity field is likely an overkill.\n\nFollowing Stephen Smalley\u0027s suggestion, i_security initialization is\nmoved to security_inode_alloc() to not clutter core code with ifdefs\nand make alloc_inode() codepath tiny little bit smaller and faster.\n\nThe user of (highly greppable) struct fown_struct::security field is\nstill to be found. I\u0027ve checked every \"fown_struct\" and every \"f_owner\"\noccurence. Additionally it\u0027s removal doesn\u0027t break i386 allmodconfig\nbuild.\n\nstruct inode, struct file, struct super_block, struct fown_struct\nbecome smaller.\n\nP.S. Combined with two reiserfs inode shrinking patches sent to\nlinux-fsdevel, I can finally suck 12 reiserfs inodes into one page.\n\n\t\t/proc/slabinfo\n\n\t-ext2_inode_cache\t388\t10\n\t+ext2_inode_cache\t384\t10\n\t-inode_cache\t\t280\t14\n\t+inode_cache\t\t276\t14\n\t-proc_inode_cache\t296\t13\n\t+proc_inode_cache\t292\t13\n\t-reiser_inode_cache\t336\t11\n\t+reiser_inode_cache\t332\t12 \u003c\u003d\n\t-shmem_inode_cache\t372\t10\n\t+shmem_inode_cache\t368\t10\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7420ed23a4f77480b5b7b3245e5da30dd24b7575", "tree": "016f5bb996c5eae66754b10243c5be6226d773f2", "parents": [ "96cb8e3313c7a12e026c1ed510522ae6f6023875" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:17:57 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:36 2006 -0700" }, "message": "[NetLabel]: SELinux support\n\nAdd NetLabel support to the SELinux LSM and modify the\nsocket_post_create() LSM hook to return an error code. The most\nsignificant part of this patch is the addition of NetLabel hooks into\nthe following SELinux LSM hooks:\n\n * selinux_file_permission()\n * selinux_socket_sendmsg()\n * selinux_socket_post_create()\n * selinux_socket_sock_rcv_skb()\n * selinux_socket_getpeersec_stream()\n * selinux_socket_getpeersec_dgram()\n * selinux_sock_graft()\n * selinux_inet_conn_request()\n\nThe basic reasoning behind this patch is that outgoing packets are\n\"NetLabel\u0027d\" by labeling their socket and the NetLabel security\nattributes are checked via the additional hook in\nselinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling\nmechanism, similar to filesystem extended attributes, it is up to the\nSELinux enforcement mechanism to perform the actual access checks.\n\nIn addition to the changes outlined above this patch also includes\nsome changes to the extended bitmap (ebitmap) and multi-level security\n(mls) code to import and export SELinux TE/MLS attributes into and out\nof NetLabel.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4237c75c0a35535d7f9f2bfeeb4b4df1e068a0bf", "tree": "02adcb6fe6c346a8b99cf161ba5233ed1e572727", "parents": [ "cb969f072b6d67770b559617f14e767f47e77ece" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:50 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:29 2006 -0700" }, "message": "[MLSXFRM]: Auto-labeling of child sockets\n\nThis automatically labels the TCP, Unix stream, and dccp child sockets\nas well as openreqs to be at the same MLS level as the peer. This will\nresult in the selection of appropriately labeled IPSec Security\nAssociations.\n\nThis also uses the sock\u0027s sid (as opposed to the isec sid) in SELinux\nenforcement of secmark in rcv_skb and postroute_last hooks.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cb969f072b6d67770b559617f14e767f47e77ece", "tree": "4112eb0182e8b3e28b42aebaa40ca25454fc6b76", "parents": [ "beb8d13bed80f8388f1a9a107d07ddd342e627e8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:20 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:28 2006 -0700" }, "message": "[MLSXFRM]: Default labeling of socket specific IPSec policies\n\nThis defaults the label of socket-specific IPSec policies to be the\nsame as the socket they are set on.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "beb8d13bed80f8388f1a9a107d07ddd342e627e8", "tree": "19d5763b9b3b8ff3969997565e5ec0edd6e4bd33", "parents": [ "4e2ba18eae7f370c7c3ed96eaca747cc9b39f917" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:12:42 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:27 2006 -0700" }, "message": "[MLSXFRM]: Add flow labeling\n\nThis labels the flows that could utilize IPSec xfrms at the points the\nflows are defined so that IPSec policy and SAs at the right label can\nbe used.\n\nThe following protos are currently not handled, but they should\ncontinue to be able to use single-labeled IPSec like they currently\ndo.\n\nipmr\nip_gre\nipip\nigmp\nsit\nsctp\nip6_tunnel (IPv6 over IPv6 tunnel device)\ndecnet\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e0d1caa7b0d5f02e4f34aa09c695d04251310c6c", "tree": "bf023c17abf6813f2694ebf5fafff82edd6a1023", "parents": [ "b6340fcd761acf9249b3acbc95c4dc555d9beb07" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:29:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:24 2006 -0700" }, "message": "[MLSXFRM]: Flow based matching of xfrm policy and state\n\nThis implements a seemless mechanism for xfrm policy selection and\nstate matching based on the flow sid. This also includes the necessary\nSELinux enforcement pieces.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "892c141e62982272b9c738b5520ad0e5e1ad7b42", "tree": "c8e0c9b3e55106d2cb085a5047b9d02dbbb28653", "parents": [ "08554d6b33e60aa8ee40bbef94505941c0eefef2" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:08:56 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:22 2006 -0700" }, "message": "[MLSXFRM]: Add security sid to sock\n\nThis adds security for IP sockets at the sock level. Security at the\nsock level is needed to enforce the SELinux security policy for\nsecurity associations even when a sock is orphaned (such as in the TCP\nLAST_ACK state).\n\nThis will also be used to enforce SELinux controls over data arriving\nat or leaving a child socket while it\u0027s still waiting to be accepted.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "95ce568812822931991a24147987c5c75c0ac5b0", "tree": "ff9b281375a7e4ad9383999dc1810d9a21124021", "parents": [ "e6eb307d48c81d688804f8b39a0a3ddde3cd3458" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Aug 02 14:37:06 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Aug 02 14:37:06 2006 -0700" }, "message": "[SECURITY]: Fix build with CONFIG_SECURITY disabled.\n\ninclude/linux/security.h: In function ‘security_release_secctx’:\ninclude/linux/security.h:2757: warning: ‘return’ with a value, in function returning void\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dc49c1f94e3469d94b952e8f5160dd4ccd791d79", "tree": "e47b1974c262a03dbabf0a148325d9089817e78e", "parents": [ "2b7e24b66d31d677d76b49918e711eb360c978b6" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Wed Aug 02 14:12:06 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Aug 02 14:12:06 2006 -0700" }, "message": "[AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch\n\nFrom: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\n\nThis patch implements a cleaner fix for the memory leak problem of the\noriginal unix datagram getpeersec patch. Instead of creating a\nsecurity context each time a unix datagram is sent, we only create the\nsecurity context when the receiver requests it.\n\nThis new design requires modification of the current\nunix_getsecpeer_dgram LSM hook and addition of two new hooks, namely,\nsecid_to_secctx and release_secctx. The former retrieves the security\ncontext and the latter releases it. A hook is required for releasing\nthe security context because it is up to the security module to decide\nhow that\u0027s done. In the case of Selinux, it\u0027s a simple kfree\noperation.\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a1836a42daf5ddfe9a891973734bd9a7d62eb504", "tree": "e8819aec40aff3fa0eecd2ef9d92df8213bce58b", "parents": [ "7a01955f99b65622a00ba5c8b39202ddc6fa65f8" ], "author": { "name": "David Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jun 30 01:55:49 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 30 11:25:37 2006 -0700" }, "message": "[PATCH] SELinux: Add security hook definition for getioprio and insert hooks\n\nAdd a new security hook definition for the sys_ioprio_get operation. At\npresent, the SELinux hook function implementation for this hook is\nidentical to the getscheduler implementation but a separate hook is\nintroduced to allow this check to be specialized in the future if\nnecessary.\n\nThis patch also creates a helper function get_task_ioprio which handles the\naccess check in addition to retrieving the ioprio value for the task.\n\nSigned-off-by: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Jens Axboe \u003caxboe@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "f9008e4c5c525941967b67777945aa6266ab6326", "tree": "a0c9436485b80d548ef74d5f1aec0f6d0309af6e", "parents": [ "ed11d9eb2228acc483c819ab353e3c41bcb158fa" ], "author": { "name": "David Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jun 30 01:55:46 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 30 11:25:36 2006 -0700" }, "message": "[PATCH] SELinux: extend task_kill hook to handle signals sent by AIO completion\n\nThis patch extends the security_task_kill hook to handle signals sent by AIO\ncompletion. In this case, the secid of the task responsible for the signal\nneeds to be obtained and saved earlier, so a security_task_getsecid() hook is\nadded, and then this saved value is passed subsequently to the extended\ntask_kill hook for use in checking.\n\nSigned-off-by: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "c7bdb545d23026b18be53289fd866d1ac07f5f8c", "tree": "6d9a218871d88f7579dd53f14692df2529b6e712", "parents": [ "576a30eb6453439b3c37ba24455ac7090c247b5a" ], "author": { "name": "Darrel Goeddel", "email": "dgoeddel@trustedcs.com", "time": "Tue Jun 27 13:26:11 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 29 16:57:55 2006 -0700" }, "message": "[NETLINK]: Encapsulate eff_cap usage within security framework.\n\nThis patch encapsulates the usage of eff_cap (in netlink_skb_params) within\nthe security framework by extending security_netlink_recv to include a required\ncapability parameter and converting all direct usage of eff_caps outside\nof the lsm modules to use the interface. It also updates the SELinux\nimplementation of the security_netlink_send and security_netlink_recv\nhooks to take advantage of the sid in the netlink_skb_params struct.\nThis also enables SELinux to perform auditing of netlink capability checks.\nPlease apply, for 2.6.18 if possible.\n\nSigned-off-by: Darrel Goeddel \u003cdgoeddel@trustedcs.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7e047ef5fe2d52e83020e856b1bf2556a6a2ce98", "tree": "97656e2c56a27be9d1da451dde627b693b8643f2", "parents": [ "f116629d03655adaf7832b93b03c99391d09d4a7" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 26 00:24:50 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: sort out key quota system\n\nAdd the ability for key creation to overrun the user\u0027s quota in some\ncircumstances - notably when a session keyring is created and assigned to a\nprocess that didn\u0027t previously have one.\n\nThis means it\u0027s still possible to log in, should PAM require the creation of a\nnew session keyring, and fix an overburdened key quota.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "35601547baf92d984b6e59cf3583649da04baea5", "tree": "a392501e6e004ed33789dbf3f7a9fe43295439e1", "parents": [ "22fb52dd736a62e24c44c50739007496265dc38c" ], "author": { "name": "David Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jun 23 02:04:01 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 23 07:42:54 2006 -0700" }, "message": "[PATCH] SELinux: add task_movememory hook\n\nThis patch adds new security hook, task_movememory, to be called when memory\nowened by a task is to be moved (e.g. when migrating pages to a this hook is\nidentical to the setscheduler implementation, but a separate hook introduced\nto allow this check to be specialized in the future if necessary.\n\nSince the last posting, the hook has been renamed following feedback from\nChristoph Lameter.\n\nSigned-off-by: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Christoph Lameter \u003cclameter@sgi.com\u003e\nCc: Andi Kleen \u003cak@muc.de\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "03e68060636e05989ea94bcb671ab633948f328c", "tree": "aee5e7b55f31998536dd3a4f54f38caeee6105d6", "parents": [ "9216dfad4fc97ab639ef0885efc713f3d7a20d5b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 23 02:03:58 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 23 07:42:53 2006 -0700" }, "message": "[PATCH] lsm: add task_setioprio hook\n\nImplement an LSM hook for setting a task\u0027s IO priority, similar to the hook\nfor setting a tasks\u0027s nice value.\n\nA previous version of this LSM hook was included in an older version of\nmultiadm by Jan Engelhardt, although I don\u0027t recall it being submitted\nupstream.\n\nAlso included is the corresponding SELinux hook, which re-uses the setsched\npermission in the proccess class.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Jan Engelhardt \u003cjengelh@linux01.gwdg.de\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Jens Axboe \u003caxboe@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "726c334223180e3c0197cc980a432681370d4baf", "tree": "8327b354bb3dc959a6606051ae6f8d4d035e38a2", "parents": [ "454e2398be9b9fa30433fccc548db34d19aa9958" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 23 02:02:58 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 23 07:42:45 2006 -0700" }, "message": "[PATCH] VFS: Permit filesystem to perform statfs with a known root dentry\n\nGive the statfs superblock operation a dentry pointer rather than a superblock\npointer.\n\nThis complements the get_sb() patch. That reduced the significance of\nsb-\u003es_root, allowing NFS to place a fake root there. However, NFS does\nrequire a dentry to use as a target for the statfs operation. This permits\nthe root in the vfsmount to be used instead.\n\nlinux/mount.h has been added where necessary to make allyesconfig build\nsuccessfully.\n\nInterest has also been expressed for use with the FUSE and XFS filesystems.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Nathan Scott \u003cnathans@sgi.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d720024e94de4e8b7f10ee83c532926f3ad5d708", "tree": "8f21613c29a26bfbeb334cb0104b8b998b09fbdc", "parents": [ "f893afbe1262e27e91234506f72e17716190dd2f" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Thu Jun 22 14:47:17 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 22 15:05:55 2006 -0700" }, "message": "[PATCH] selinux: add hooks for key subsystem\n\nIntroduce SELinux hooks to support the access key retention subsystem\nwithin the kernel. Incorporate new flask headers from a modified version\nof the SELinux reference policy, with support for the new security class\nrepresenting retained keys. Extend the \"key_alloc\" security hook with a\ntask parameter representing the intended ownership context for the key\nbeing allocated. Attach security information to root\u0027s default keyrings\nwithin the SELinux initialization routine.\n\nHas passed David\u0027s testsuite.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "6f68dc37759b1d6ff3b4d4a9d097605a09f8f043", "tree": "7d0be960b8c0ec5b947637a0650f1c639002103a", "parents": [ "9dadaa19cb11a8db38072a92a3f95deab7a797fb" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 08 23:58:52 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:49 2006 -0700" }, "message": "[NET]: Fix warnings after LSM-IPSEC changes.\n\nAssignment used as truth value in xfrm_del_sa()\nand xfrm_get_policy().\n\nWrong argument type declared for security_xfrm_state_delete()\nwhen SELINUX is disabled.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63", "tree": "b4a04dd9e2b940cb5b2911fb67fbe49c5f8b3fbf", "parents": [ "cec6f7f39c3db7d9f6091bf2f8fc8d520f372719" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Thu Jun 08 23:39:49 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:45 2006 -0700" }, "message": "[LSM-IPsec]: SELinux Authorize\n\nThis patch contains a fix for the previous patch that adds security\ncontexts to IPsec policies and security associations. In the previous\npatch, no authorization (besides the check for write permissions to\nSAD and SPD) is required to delete IPsec policies and security\nassocations with security contexts. Thus a user authorized to change\nSAD and SPD can bypass the IPsec policy authorization by simply\ndeleteing policies with security contexts. To fix this security hole,\nan additional authorization check is added for removing security\npolicies and security associations with security contexts.\n\nNote that if no security context is supplied on add or present on\npolicy to be deleted, the SELinux module allows the change\nunconditionally. The hook is called on deletion when no context is\npresent, which we may want to change. At present, I left it up to the\nmodule.\n\nLSM changes:\n\nThe patch adds two new LSM hooks: xfrm_policy_delete and\nxfrm_state_delete. The new hooks are necessary to authorize deletion\nof IPsec policies that have security contexts. The existing hooks\nxfrm_policy_free and xfrm_state_free lack the context to do the\nauthorization, so I decided to split authorization of deletion and\nmemory management of security data, as is typical in the LSM\ninterface.\n\nUse:\n\nThe new delete hooks are checked when xfrm_policy or xfrm_state are\ndeleted by either the xfrm_user interface (xfrm_get_policy,\nxfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).\n\nSELinux changes:\n\nThe new policy_delete and state_delete functions are added.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "9c7aa6aa74fa8a5cda36e54cbbe4fffe0214497d", "tree": "1e1489ed5080ea4aff6206bfa904f549de8e56ca", "parents": [ "1b50eed9cac0e8e5e4d3a522d8aa267f7f8f8acb" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Fri Mar 31 15:22:49 2006 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon May 01 06:09:56 2006 -0400" }, "message": "[PATCH] change lspp ipc auditing\n\nHi,\n\nThe patch below converts IPC auditing to collect sid\u0027s and convert to context\nstring only if it needs to output an audit record. This patch depends on the\ninode audit change patch already being applied.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "1b9a3917366028cc451a98dd22e3bcd537d4e5c1", "tree": "d911058720e0a9aeeaf9f407ccdc6fbf4047f47d", "parents": [ "3661f00e2097676847deb01add1a0918044bd816", "71e1c784b24a026a490b3de01541fc5ee14ebc09" ], "author": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Mar 25 09:24:53 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Mar 25 09:24:53 2006 -0800" }, "message": "Merge branch \u0027audit.b3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current\n\n* \u0027audit.b3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (22 commits)\n [PATCH] fix audit_init failure path\n [PATCH] EXPORT_SYMBOL patch for audit_log, audit_log_start, audit_log_end and audit_format\n [PATCH] sem2mutex: audit_netlink_sem\n [PATCH] simplify audit_free() locking\n [PATCH] Fix audit operators\n [PATCH] promiscuous mode\n [PATCH] Add tty to syscall audit records\n [PATCH] add/remove rule update\n [PATCH] audit string fields interface + consumer\n [PATCH] SE Linux audit events\n [PATCH] Minor cosmetic cleanups to the code moved into auditfilter.c\n [PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL\n [PATCH] Fix IA64 success/failure indication in syscall auditing.\n [PATCH] Miscellaneous bug and warning fixes\n [PATCH] Capture selinux subject/object context information.\n [PATCH] Exclude messages by message type\n [PATCH] Collect more inode information during syscall processing.\n [PATCH] Pass dentry, not just name, in fsnotify creation hooks.\n [PATCH] Define new range of userspace messages.\n [PATCH] Filter rule comparators\n ...\n\nFixed trivial conflict in security/selinux/hooks.c\n" }, { "commit": "12b5989be10011387a9da5dee82e5c0d6f9d02e7", "tree": "74da71d407bf26bf97c639bb2b473de233a736ac", "parents": [ "77d47582c2345e071df02afaf9191641009287c4" ], "author": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Sat Mar 25 03:07:41 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Mar 25 08:22:56 2006 -0800" }, "message": "[PATCH] refactor capable() to one implementation, add __capable() helper\n\nMove capable() to kernel/capability.c and eliminate duplicate\nimplementations. Add __capable() function which can be used to check for\ncapabiilty of any process.\n\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "2c7946a7bf45ae86736ab3b43d0085e43947945c", "tree": "b956f301033ebaefe8d2701b257edfd947f537f3", "parents": [ "be33690d8fcf40377f16193c463681170eb6b295" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Mon Mar 20 22:41:23 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:41:23 2006 -0800" }, "message": "[SECURITY]: TCP/UDP getpeersec\n\nThis patch implements an application of the LSM-IPSec networking\ncontrols whereby an application can determine the label of the\nsecurity association its TCP or UDP sockets are currently connected to\nvia getsockopt and the auxiliary data mechanism of recvmsg.\n\nPatch purpose:\n\nThis patch enables a security-aware application to retrieve the\nsecurity context of an IPSec security association a particular TCP or\nUDP socket is using. The application can then use this security\ncontext to determine the security context for processing on behalf of\nthe peer at the other end of this connection. In the case of UDP, the\nsecurity context is for each individual packet. An example\napplication is the inetd daemon, which could be modified to start\ndaemons running at security contexts dependent on the remote client.\n\nPatch design approach:\n\n- Design for TCP\nThe patch enables the SELinux LSM to set the peer security context for\na socket based on the security context of the IPSec security\nassociation. The application may retrieve this context using\ngetsockopt. When called, the kernel determines if the socket is a\nconnected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry\ncache on the socket to retrieve the security associations. If a\nsecurity association has a security context, the context string is\nreturned, as for UNIX domain sockets.\n\n- Design for UDP\nUnlike TCP, UDP is connectionless. This requires a somewhat different\nAPI to retrieve the peer security context. With TCP, the peer\nsecurity context stays the same throughout the connection, thus it can\nbe retrieved at any time between when the connection is established\nand when it is torn down. With UDP, each read/write can have\ndifferent peer and thus the security context might change every time.\nAs a result the security context retrieval must be done TOGETHER with\nthe packet retrieval.\n\nThe solution is to build upon the existing Unix domain socket API for\nretrieving user credentials. Linux offers the API for obtaining user\ncredentials via ancillary messages (i.e., out of band/control messages\nthat are bundled together with a normal message).\n\nPatch implementation details:\n\n- Implementation for TCP\nThe security context can be retrieved by applications using getsockopt\nwith the existing SO_PEERSEC flag. As an example (ignoring error\nchecking):\n\ngetsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, \u0026optlen);\nprintf(\"Socket peer context is: %s\\n\", optbuf);\n\nThe SELinux function, selinux_socket_getpeersec, is extended to check\nfor labeled security associations for connected (TCP_ESTABLISHED \u003d\u003d\nsk-\u003esk_state) TCP sockets only. If so, the socket has a dst_cache of\nstruct dst_entry values that may refer to security associations. If\nthese have security associations with security contexts, the security\ncontext is returned.\n\ngetsockopt returns a buffer that contains a security context string or\nthe buffer is unmodified.\n\n- Implementation for UDP\nTo retrieve the security context, the application first indicates to\nthe kernel such desire by setting the IP_PASSSEC option via\ngetsockopt. Then the application retrieves the security context using\nthe auxiliary data mechanism.\n\nAn example server application for UDP should look like this:\n\ntoggle \u003d 1;\ntoggle_len \u003d sizeof(toggle);\n\nsetsockopt(sockfd, SOL_IP, IP_PASSSEC, \u0026toggle, \u0026toggle_len);\nrecvmsg(sockfd, \u0026msg_hdr, 0);\nif (msg_hdr.msg_controllen \u003e sizeof(struct cmsghdr)) {\n cmsg_hdr \u003d CMSG_FIRSTHDR(\u0026msg_hdr);\n if (cmsg_hdr-\u003ecmsg_len \u003c\u003d CMSG_LEN(sizeof(scontext)) \u0026\u0026\n cmsg_hdr-\u003ecmsg_level \u003d\u003d SOL_IP \u0026\u0026\n cmsg_hdr-\u003ecmsg_type \u003d\u003d SCM_SECURITY) {\n memcpy(\u0026scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));\n }\n}\n\nip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow\na server socket to receive security context of the peer. A new\nancillary message type SCM_SECURITY.\n\nWhen the packet is received we get the security context from the\nsec_path pointer which is contained in the sk_buff, and copy it to the\nancillary message space. An additional LSM hook,\nselinux_socket_getpeersec_udp, is defined to retrieve the security\ncontext from the SELinux space. The existing function,\nselinux_socket_getpeersec does not suit our purpose, because the\nsecurity context is copied directly to user space, rather than to\nkernel space.\n\nTesting:\n\nWe have tested the patch by setting up TCP and UDP connections between\napplications on two machines using the IPSec policies that result in\nlabeled security associations being built. For TCP, we can then\nextract the peer security context using getsockopt on either end. For\nUDP, the receiving end can retrieve the security context using the\nauxiliary data mechanism of recvmsg.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7306a0b9b3e2056a616c84841288ca2431a05627", "tree": "d3f61ef43c7079790d6b8ef9bf307689a7d9ea16", "parents": [ "8c8570fb8feef2bc166bee75a85748b25cda22d9" ], "author": { "name": "Dustin Kirkland", "email": "dustin.kirkland@us.ibm.com", "time": "Wed Nov 16 15:53:13 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] Miscellaneous bug and warning fixes\n\nThis patch fixes a couple of bugs revealed in new features recently\nadded to -mm1:\n* fixes warnings due to inconsistent use of const struct inode *inode\n* fixes bug that prevent a kernel from booting with audit on, and SELinux off\n due to a missing function in security/dummy.c\n* fixes a bug that throws spurious audit_panic() messages due to a missing\n return just before an error_path label\n* some reasonable house cleaning in audit_ipc_context(),\n audit_inode_context(), and audit_log_task_context()\n\nSigned-off-by: Dustin Kirkland \u003cdustin.kirkland@us.ibm.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "8c8570fb8feef2bc166bee75a85748b25cda22d9", "tree": "ed783d405ea9d5f3d3ccc57fb56c7b7cb2cdfb82", "parents": [ "c8edc80c8b8c397c53f4f659a05b9ea6208029bf" ], "author": { "name": "Dustin Kirkland", "email": "dustin.kirkland@us.ibm.com", "time": "Thu Nov 03 17:15:16 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] Capture selinux subject/object context information.\n\nThis patch extends existing audit records with subject/object context\ninformation. Audit records associated with filesystem inodes, ipc, and\ntasks now contain SELinux label information in the field \"subj\" if the\nitem is performing the action, or in \"obj\" if the item is the receiver\nof an action.\n\nThese labels are collected via hooks in SELinux and appended to the\nappropriate record in the audit code.\n\nThis additional information is required for Common Criteria Labeled\nSecurity Protection Profile (LSPP).\n\n[AV: fixed kmalloc flags use]\n[folded leak fixes]\n[folded cleanup from akpm (kfree(NULL)]\n[folded audit_inode_context() leak fix]\n[folded akpm\u0027s fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT]\n\nSigned-off-by: Dustin Kirkland \u003cdustin.kirkland@us.ibm.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "53ea68ecea11bcbb3451c2758ce181bd97b569a9", "tree": "4e754db2a21db5b90a1650f2993d0b76c00cbd53", "parents": [ "89a2fa5f2139be35e214bcf86a8291d6a1da75f2" ], "author": { "name": "Stephen Smalley", "email": "sds@epoch.ncsc.mil", "time": "Fri Feb 03 08:21:12 2006 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Feb 03 18:31:33 2006 -0800" }, "message": "[PATCH] SELinux: fix size-128 slab leak\n\nRemove private inode tests from security_inode_alloc and security_inode_free,\nas we otherwise end up leaking inode security structures for private inodes.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "ed5a92700d3ce2646cb7763792a5f7ad1bade7e8", "tree": "83f0bb909c11e29c90fd3433284911ba7d76567e", "parents": [ "7ee26aa04d4dbd5e006b2f184d6028c71384681f" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Wed Feb 01 03:05:00 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Feb 01 08:53:11 2006 -0800" }, "message": "[PATCH] tpm_bios: needs more securityfs_ functions\n\ntpm_bios.c needs securityfs_xyz() functions.\n\nDoes include/linux/security.h need stubs for these, or should\nchar/tpm/Makefile just be modified to say:\n\nifdef CONFIG_ACPI\nifdef CONFIG_SECURITY\n\tobj-$(CONFIG_TCG_TPM) +\u003d tpm_bios.o\nendif\nendif\n\ndrivers/char/tpm/tpm_bios.c:494: warning: implicit declaration of function \u0027securityfs_create_dir\u0027\ndrivers/char/tpm/tpm_bios.c:494: warning: assignment makes pointer from integer without a cast\ndrivers/char/tpm/tpm_bios.c:499: warning: implicit declaration of function \u0027securityfs_create_file\u0027\ndrivers/char/tpm/tpm_bios.c:501: warning: assignment makes pointer from integer without a cast\ndrivers/char/tpm/tpm_bios.c:508: warning: assignment makes pointer from integer without a cast\ndrivers/char/tpm/tpm_bios.c:523: warning: implicit declaration of function \u0027securityfs_remove\u0027\n*** Warning: \"securityfs_create_file\" [drivers/char/tpm/tpm_bios.ko] undefined!\n*** Warning: \"securityfs_create_dir\" [drivers/char/tpm/tpm_bios.ko] undefined!\n*** Warning: \"securityfs_remove\" [drivers/char/tpm/tpm_bios.ko] undefined!\n\nThere are also some gcc and sparse warnings that could be fixed.\n(see http://www.xenotime.net/linux/doc/build-tpm.out)\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Greg KH \u003cgreg@kroah.com\u003e\nCc: Kylene Jo Hall \u003ckjhall@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "df71837d5024e2524cd51c93621e558aa7dd9f3f", "tree": "58938f1d46f3c6713b63e5a785e82fdbb10121a1", "parents": [ "88026842b0a760145aa71d69e74fbc9ec118ca44" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:27 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:24 2006 -0800" }, "message": "[LSM-IPSec]: Security association restriction.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the XFRM subsystem,\npfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a\nsocket to use only authorized security associations (or no security\nassociation) to send/receive network packets.\n\nPatch purpose:\n\nThe patch is designed to enable access control per packets based on\nthe strongly authenticated IPSec security association. Such access\ncontrols augment the existing ones based on network interface and IP\naddress. The former are very coarse-grained, and the latter can be\nspoofed. By using IPSec, the system can control access to remote\nhosts based on cryptographic keys generated using the IPSec mechanism.\nThis enables access control on a per-machine basis or per-application\nif the remote machine is running the same mechanism and trusted to\nenforce the access control policy.\n\nPatch design approach:\n\nThe overall approach is that policy (xfrm_policy) entries set by\nuser-level programs (e.g., setkey for ipsec-tools) are extended with a\nsecurity context that is used at policy selection time in the XFRM\nsubsystem to restrict the sockets that can send/receive packets via\nsecurity associations (xfrm_states) that are built from those\npolicies.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nOn output, the policy retrieved (via xfrm_policy_lookup or\nxfrm_sk_policy_lookup) must be authorized for the security context of\nthe socket and the same security context is required for resultant\nsecurity association (retrieved or negotiated via racoon in\nipsec-tools). This is enforced in xfrm_state_find.\n\nOn input, the policy retrieved must also be authorized for the socket\n(at __xfrm_policy_check), and the security context of the policy must\nalso match the security association being used.\n\nThe patch has virtually no impact on packets that do not use IPSec.\nThe existing Netfilter (outgoing) and LSM rcv_skb hooks are used as\nbefore.\n\nAlso, if IPSec is used without security contexts, the impact is\nminimal. The LSM must allow such policies to be selected for the\ncombination of socket and remote machine, but subsequent IPSec\nprocessing proceeds as in the original case.\n\nTesting:\n\nThe pfkey interface is tested using the ipsec-tools. ipsec-tools have\nbeen modified (a separate ipsec-tools patch is available for version\n0.5) that supports assignment of xfrm_policy entries and security\nassociations with security contexts via setkey and the negotiation\nusing the security contexts via racoon.\n\nThe xfrm_user interface is tested via ad hoc programs that set\nsecurity contexts. These programs are also available from me, and\ncontain programs for setting, getting, and deleting policy for testing\nthis interface. Testing of sa functions was done by tracing kernel\nbehavior.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "29db9190634067c5a328ee5fcc2890251b836b4b", "tree": "07ec242789230824f1fa8bcbbe681fd5bf166fa8", "parents": [ "2aa349f6e37ce030060c994d3aebbff4ab703565" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Oct 30 15:02:44 2005 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Oct 30 17:37:23 2005 -0800" }, "message": "[PATCH] Keys: Add LSM hooks for key management [try #3]\n\nThe attached patch adds LSM hooks for key management facilities. The notable\nchanges are:\n\n (1) The key struct now supports a security pointer for the use of security\n modules. This will permit key labelling and restrictions on which\n programs may access a key.\n\n (2) Security modules get a chance to note (or abort) the allocation of a key.\n\n (3) The key permission checking can now be enhanced by the security modules;\n the permissions check consults LSM if all other checks bear out.\n\n (4) The key permissions checking functions now return an error code rather\n than a boolean value.\n\n (5) An extra permission has been added to govern the modification of\n attributes (UID, GID, permissions).\n\nNote that there isn\u0027t an LSM hook specifically for each keyctl() operation,\nbut rather the permissions hook allows control of individual operations based\non the permission request bits.\n\nKey management access control through LSM is enabled by automatically if both\nCONFIG_KEYS and CONFIG_SECURITY are enabled.\n\nThis should be applied on top of the patch ensubjected:\n\n\t[PATCH] Keys: Possessor permissions should be additive\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Chris Wright \u003cchrisw@osdl.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d381d8a9a08cac9824096213069159be17fd2e2f", "tree": "0c19722b8f67c29b7c08c6ab8776a9c146395d03", "parents": [ "89d155ef62e5e0c10e4b37aaa5056f0beafe10e6" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Oct 30 14:59:22 2005 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Oct 30 17:37:11 2005 -0800" }, "message": "[PATCH] SELinux: canonicalize getxattr()\n\nThis patch allows SELinux to canonicalize the value returned from\ngetxattr() via the security_inode_getsecurity() hook, which is called after\nthe fs level getxattr() function.\n\nThe purpose of this is to allow the in-core security context for an inode\nto override the on-disk value. This could happen in cases such as\nupgrading a system to a different labeling form (e.g. standard SELinux to\nMLS) without needing to do a full relabel of the filesystem.\n\nIn such cases, we want getxattr() to return the canonical security context\nthat the kernel is using rather than what is stored on disk.\n\nThe implementation hooks into the inode_getsecurity(), adding another\nparameter to indicate the result of the preceding fs-level getxattr() call,\nso that SELinux knows whether to compare a value obtained from disk with\nthe kernel value.\n\nWe also now allow getxattr() to work for mountpoint labeled filesystems\n(i.e. mount with option context\u003dfoo_t), as we are able to return the\nkernel value to the user.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7d877f3bda870ab5f001bd92528654471d5966b3", "tree": "1c05b62abead153956c4ca250ffb1891887e77c9", "parents": [ "fd4f2df24bc23e6b8fc069765b425c7dacf52347" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Oct 21 03:20:43 2005 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Oct 28 08:16:47 2005 -0700" }, "message": "[PATCH] gfp_t: net/*\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "dd0fc66fb33cd610bc1a5db8a5e232d34879b4d7", "tree": "51f96a9db96293b352e358f66032e1f4ff79fafb", "parents": [ "3b0e77bd144203a507eb191f7117d2c5004ea1de" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Fri Oct 07 07:46:04 2005 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Oct 08 15:00:57 2005 -0700" }, "message": "[PATCH] gfp flags annotations - part 1\n\n - added typedef unsigned int __nocast gfp_t;\n\n - replaced __nocast uses for gfp flags with gfp_t - it gives exactly\n the same warnings as far as sparse is concerned, doesn\u0027t change\n generated code (from gcc point of view we replaced unsigned int with\n typedef) and documents what\u0027s going on far better.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "ddbf9ef385bfbef897210733abfb73cb9b94ecec", "tree": "64a9e965a71eef13e813a3327f8d74aa7168ee19", "parents": [ "5d54e69c68c05b162a56f9914cae72afd7e6f40a", "2c40579bdc2a94977fcff2521d5b53a97c33e77a" ], "author": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 13 09:48:54 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 13 09:48:54 2005 -0700" }, "message": "Merge master.kernel.org:/pub/scm/linux/kernel/git/chrisw/lsm-2.6 \n" }, { "commit": "e31e14ec356f36b131576be5bc31d8fef7e95483", "tree": "5597419cf186904d77c4b4ecf117287bcc1db986", "parents": [ "a74574aafea3a63add3251047601611111f44562" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Sep 09 13:01:45 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 09 13:57:28 2005 -0700" }, "message": "[PATCH] remove the inode_post_link and inode_post_rename LSM hooks\n\nThis patch removes the inode_post_link and inode_post_rename LSM hooks as\nthey are unused (and likely useless).\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "a74574aafea3a63add3251047601611111f44562", "tree": "a8f4a809589513c666c6f5518cbe84f50ee5523e", "parents": [ "570bc1c2e5ccdb408081e77507a385dc7ebed7fa" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Sep 09 13:01:44 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 09 13:57:28 2005 -0700" }, "message": "[PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks\n\nThis patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as\nthey are obsoleted by the new inode_init_security hook that enables atomic\ninode security labeling.\n\nIf anyone sees any reason to retain these hooks, please speak now. Also,\nis anyone using the post_rename/link hooks; if not, those could also be\nremoved.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "5e41ff9e0650f327a6c819841fa412da95d57319", "tree": "a525df8bda34c2aa52f30326f94cd15109bb58b3", "parents": [ "f5ee56cc184e0944ebc9ff1691985219959596f6" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Sep 09 13:01:35 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 09 13:57:27 2005 -0700" }, "message": "[PATCH] security: enable atomic inode security labeling\n\nThe following patch set enables atomic security labeling of newly created\ninodes by altering the fs code to invoke a new LSM hook to obtain the security\nattribute to apply to a newly created inode and to set up the incore inode\nsecurity state during the inode creation transaction. This parallels the\nexisting processing for setting ACLs on newly created inodes. Otherwise, it\nis possible for new inodes to be accessed by another thread via the dcache\nprior to complete security setup (presently handled by the\npost_create/mkdir/... LSM hooks in the VFS) and a newly created inode may be\nleft unlabeled on the disk in the event of a crash. SELinux presently works\naround the issue by ensuring that the incore inode security label is\ninitialized to a special SID that is inaccessible to unprivileged processes\n(in accordance with policy), thereby preventing inappropriate access but\npotentially causing false denials on legitimate accesses. A simple test\nprogram demonstrates such false denials on SELinux, and the patch solves the\nproblem. Similar such false denials have been encountered in real\napplications.\n\nThis patch defines a new inode_init_security LSM hook to obtain the security\nattribute to apply to a newly created inode and to set up the incore inode\nsecurity state for it, and adds a corresponding hook function implementation\nto SELinux.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" } ], "next": "20380731bc2897f2952ae055420972ded4cd786e" }